Nginx’s 18‑Year‑Old RCE Flaw Exposes One‑Third of Websites

Vulnerability Overview

On 13 May 2026 security researchers depthfirst and F5 disclosed CVE‑2026‑42945 ("NGINX Rift"), a remote‑code‑execution (RCE) flaw affecting Nginx open‑source and commercial releases (0.6.27 – 1.30.0, Plus R32‑R36, etc.). The vulnerability scores 9.2 on CVSS v4.0 and can be triggered without authentication by sending a specially crafted HTTP request.

Root Cause

The flaw resides in the ngx_http_rewrite_module script engine, which processes rewrite directives in two passes. The first pass calculates the output length using an all‑zero buffer and allocates a heap buffer based on the unescaped length. The second pass copies data into the allocated buffer. When the rewrite replacement string contains a question mark ( ?), the internal is_args flag is set to 1 but is never cleared between passes. Consequently, the second pass expands escaped characters (e.g., %XX) from 1 byte to 3 bytes, causing the actual write size to exceed the allocated buffer and resulting in a heap buffer overflow.

Exploitation Conditions

In the same location context, both rewrite and set directives are used.

The rewrite replacement string contains a ? character.

The set directive references a regex capture variable such as $1 or $2.

Typical Vulnerable Configuration

location ~ ^/api/(.*)$ {
    rewrite ^/api/(.*)$ /internal?migrated=true;
    set $original_endpoint $1;
}

Proof‑of‑Concept Chain

Proof‑of‑concepts demonstrate a full attack chain. First, a crafted URI filled with “+” characters forces the escape routine to expand each byte, causing a denial‑of‑service (DoS) by crashing the worker process. Example output shows the worker PID changing after the PoC runs, indicating a crash and restart.

# Before PoC
root       7  nginx: master process
nobody    99  nginx: worker process

# After PoC (2 seconds later)
root       7  nginx: master process
nobody  2693  nginx: worker process  ← Worker PID changed, process crashed and restarted

For remote code execution, the attacker controls heap layout (using Nginx’s multi‑process architecture), overwrites a neighboring memory‑pool cleanup pointer, and injects a forged ngx_pool_cleanup_s structure containing a system() function pointer. Closing the victim connection triggers ngx_destroy_pool, which walks the cleanup list and executes the injected command. The PoC works reliably on systems with ASLR disabled; with ASLR enabled, repeated requests can gradually overwrite the pointer.

Affected Versions

NGINX open‑source: 0.6.27 – 1.30.0

NGINX Plus: R32 – R36

NGINX Instance Manager: 2.16.0 – 2.21.1

F5 WAF for NGINX: 5.9.0 – 5.12.1

NGINX App Protect WAF: 4.9.0 – 4.16.0, 5.1.0 – 5.8.0

NGINX Ingress Controller: 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.4.1

NGINX Gateway Fabric: 1.3.0 – 1.6.2, 2.0.0 – 2.5.1

Mitigation

Upgrade NGINX open‑source to 1.30.1 or 1.31.0; upgrade NGINX Plus to R36 P4+ or R32 P6+ (patches released 13 May 2026).

For derivative builds (e.g., OpenResty, BT panel) without official patches, replace unnamed capture groups with named ones (e.g., ?<name>) in rewrite / set directives to avoid the overflow.

Enable ASLR (verify cat /proc/sys/kernel/randomize_va_space returns 2) and monitor HTTP requests containing excessive ‘+’, ‘%’, ‘&’ characters or suspicious POST bodies.

Discovery Timeline

2026‑04‑18: depthfirst’s automated scanner examined NGINX source for six hours, identified five issues.

2026‑04‑21: Report submitted via GitHub security advisory.

2026‑04‑24: NGINX acknowledged four of the issues.

2026‑04‑28: NGINX released a working RCE PoC.

2026‑05‑05: PoC and demo video shared with NGINX.

2026‑05‑13: F5 published the security advisory, making CVE‑2026‑42945 public.