Executive Summary
In May 2026, F5 and NGINX disclosed and patched a set of critical and high-severity vulnerabilities impacting NGINX Open Source, NGINX Plus, and several related F5/NGINX products. The most severe, CVE-2026-42945 (dubbed "NGINX Rift"), is a heap-based buffer overflow in the ngx_http_rewrite_module. This flaw, present since 2008, affects all NGINX versions from 0.6.27 through 1.30.0 and NGINX Plus R32–R36. It enables unauthenticated remote code execution (RCE) on systems with Address Space Layout Randomization (ASLR) disabled and denial-of-service (DoS) on all systems. A public proof-of-concept (PoC) exploit is available, and active exploitation risk is confirmed. The vulnerability’s reach, combined with the ubiquity of NGINX in modern web infrastructure, makes immediate remediation essential for all organizations running affected products.
Technical Information
CVE-2026-42945 is a heap-based buffer overflow vulnerability in the ngx_http_rewrite_module of NGINX. The vulnerability arises from improper memory management during URI construction when a rewrite directive with an unnamed PCRE capture (such as $1) and a question mark is followed by a set directive. This miscalculation leads to a heap overflow during URI escaping, which can be triggered by a single unauthenticated HTTP request.
The vulnerability is rated CVSS 9.2 (Critical) by F5 Networks. It was discovered through autonomous AI analysis by the security research group depthfirst. The flaw is particularly dangerous because it can be exploited remotely and without authentication, requiring only a single crafted HTTP request to a vulnerable NGINX instance with the affected configuration.
A typical vulnerable configuration might look like:
location /api/ {
rewrite ^/api/(.+)$ /backend/$1? last;
set $target_param $1;
}
In this scenario, the use of an unnamed capture group ($1) in the rewrite directive, followed by a set directive, triggers the vulnerable code path.
The impact of exploitation is twofold. On all systems, a successful exploit will crash the NGINX worker process, resulting in a denial-of-service. On systems where ASLR is disabled, the vulnerability can be leveraged for full unauthenticated remote code execution, allowing attackers to execute arbitrary code with the privileges of the NGINX process.
A public PoC exploit is available on GitHub (depthfirstsec/nginx-rift-poc), and security researchers have confirmed that exploitation is straightforward for attackers with knowledge of the flaw.
In addition to CVE-2026-42945, the same security audit uncovered several related vulnerabilities: CVE-2026-42946 (excessive memory allocation, CVSS 8.3), CVE-2026-40701 (use-after-free in SSL module, CVSS 6.3), and CVE-2026-42934 (out-of-bounds read in charset module, CVSS 6.3). While these are less severe, they further underscore the need for comprehensive patching.
Exploitation in the Wild
The public release of a working PoC exploit on May 13, 2026, has dramatically increased the risk of exploitation. Industry experience and open-source reporting indicate that weaponization and mass scanning typically occur within hours to days of public disclosure for vulnerabilities of this severity. Security researchers and threat intelligence sources, including the Cloud Security Alliance and community forums such as Reddit, have reported active scanning for vulnerable NGINX instances.
Indicators of compromise include unusual NGINX worker process crashes, unexpected HTTP requests targeting endpoints with rewrite-and-set directive patterns, and the presence of crafted requests exploiting $1, $2, etc., in rewrite rules. Artifacts from the public PoC exploit may also be present in logs or memory dumps.
The attack vector is a remote, unauthenticated HTTP request to a vulnerable NGINX instance with the affected configuration. The exploit does not require prior access or authentication, making it highly attractive for both opportunistic and targeted attackers.
APT Groups using this vulnerability
As of this writing, there is no public attribution to specific advanced persistent threat (APT) groups exploiting CVE-2026-42945. However, the vulnerability’s unauthenticated nature and the global prevalence of NGINX make it highly attractive for both opportunistic cybercriminals and sophisticated nation-state actors. The MITRE ATT&CK framework classifies exploitation of this type under T1190: Exploit Public-Facing Application and T1210: Exploitation of Remote Services. Security teams should assume that both automated and targeted exploitation is likely, especially given the rapid availability of a public PoC and the criticality of the vulnerability.
Affected Product Versions
The following products and versions are affected by CVE-2026-42945 and related vulnerabilities:
NGINX Open Source versions 0.6.27 through 1.30.0 are vulnerable, with the issue resolved in versions 1.30.1 (stable) and 1.31.0. NGINX Plus versions R32 through R36 are affected, with patches available in R32 P6 and R36 P4. NGINX Instance Manager versions 2.16.0 through 2.21.1, NGINX App Protect WAF versions 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0, F5 WAF for NGINX versions 5.9.0 through 5.12.1, F5 App Protect DoS versions 4.3.0 through 4.7.0 and 4.8.0, NGINX Gateway Fabric versions 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1, and NGINX Ingress Controller versions 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1 are all impacted. Kubernetes environments using NGINX Ingress Controller or Gateway Fabric are directly affected and should be prioritized for review and remediation.
For the most up-to-date information on affected versions and patch availability, consult the F5 advisory, NGINX Security Advisories, and NIST NVD.
Workaround and Mitigation
Immediate patching is the most effective mitigation. Organizations should upgrade to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R32 P6 or R36 P4, as appropriate. For other affected products, refer to the official F5 advisory for patch details.
If patching is not immediately possible, a temporary workaround is to replace all unnamed PCRE captures ($1, $2, etc.) in rewrite directives with named captures (for example, (?P<name>pattern) and use $name). This change prevents the vulnerable code path from being triggered.
Organizations should audit all NGINX deployments, including those in containerized and Kubernetes-based environments, to identify instances with vulnerable configurations. Monitoring should be enabled on NGINX access logs to detect suspicious requests targeting rewrite-and-set patterns. Short-term risk can be further reduced by applying network segmentation and rate limiting to limit exposure.
While deploying or updating web application firewall (WAF) rules to detect and block exploit attempts can provide additional protection, WAFs should not be relied upon as the sole mitigation. The only comprehensive solution is to patch all affected systems and remediate vulnerable configurations.
References
Cloud Security Alliance: NGINX Rift Research Note, depthfirstsec: NGINX Rift PoC, NIST NVD: CVE-2026-42945, NGINX Security Advisories: nginx.org/en/security_advisories.html, F5 Advisory: K000161019, Reddit: F5 Addresses Critical Vulnerabilities, GitHub Security Advisory: GHSA-gcgv-v5gf-c543
Rescana is here for you
Rescana is committed to helping organizations manage third-party risk and maintain robust cybersecurity postures. Our TPRM platform provides continuous, automated monitoring and risk assessment for your entire digital supply chain, enabling you to identify and remediate vulnerabilities before they can be exploited. If you have questions about this advisory or need assistance with incident response, our team is ready to help. Please contact us at ops@rescana.com.
