Critical 18-Year-Old NGINX Vulnerability Exposes Servers to Remote Code Execution
Cybersecurity experts have recently uncovered a significant security flaw in NGINX, a widely used web server software. This vulnerability, identified as CVE-2026-42945 and nicknamed NGINX Rift, has been present unnoticed for 18 years. It affects both NGINX Plus and NGINX Open Source versions, posing a serious risk of remote code execution (RCE) and denial-of-service (DoS) attacks.
Understanding the Vulnerability
The flaw resides in the ngx_http_rewrite_module, a component responsible for URL rewriting and redirection. Specifically, the issue arises when the rewrite directive is followed by another rewrite, if, or set directive, and an unnamed Perl-Compatible Regular Expression (PCRE) capture (e.g., $1, $2) is used with a replacement string containing a question mark (?). This configuration can lead to a heap buffer overflow, allowing attackers to send specially crafted HTTP requests that exploit this weakness.
Potential Impact
An unauthenticated attacker can exploit this vulnerability by sending malicious HTTP requests, leading to a heap buffer overflow in the NGINX worker process. This overflow can cause the worker process to restart, disrupting service. In systems where Address Space Layout Randomization (ASLR) is disabled, the vulnerability becomes even more critical, potentially enabling remote code execution. This means an attacker could execute arbitrary code on the server, gaining control over the system.
Discovery and Disclosure
The vulnerability was discovered by the cybersecurity firm depthfirst and reported to F5, the company behind NGINX, on April 21, 2026. F5 promptly acknowledged the issue and released an advisory detailing the affected versions and recommended actions. The flaw has been present since the initial release of the ngx_http_rewrite_module, making it an 18-year-old vulnerability that has only now been identified and addressed.
Affected Versions and Patches
The following versions of NGINX are affected by this vulnerability:
– NGINX Plus R32 to R36
– NGINX Open Source 1.0.0 to 1.30.0
– NGINX Open Source 0.6.27 to 0.9.7
– NGINX Instance Manager 2.16.0 to 2.21.1
– F5 WAF for NGINX 5.9.0 to 5.12.1
– NGINX App Protect WAF 4.9.0 to 4.16.0
– NGINX App Protect WAF 5.1.0 to 5.8.0
– F5 DoS for NGINX 4.8.0
– NGINX App Protect DoS 4.3.0 to 4.7.0
– NGINX Gateway Fabric 1.3.0 to 1.6.2
– NGINX Gateway Fabric 2.0.0 to 2.5.1
– NGINX Ingress Controller 3.5.0 to 3.7.2
– NGINX Ingress Controller 4.0.0 to 4.0.1
– NGINX Ingress Controller 5.0.0 to 5.4.1
F5 has released patches to address this vulnerability in the following versions:
– NGINX Plus R32 P6 and R36 P4
– NGINX Open Source 1.30.1 and 1.31.0
For older versions, particularly NGINX Open Source 0.6.27 to 0.9.7, no fixes are planned. Users of these versions are strongly advised to upgrade to a supported version to mitigate the risk.
Mitigation Strategies
If immediate patching is not feasible, administrators can modify their NGINX configuration as a temporary workaround. This involves replacing unnamed captures with named captures in every affected rewrite directive. While this does not eliminate the vulnerability, it reduces the risk of exploitation until the system can be fully updated.
Additional Vulnerabilities Addressed
Alongside CVE-2026-42945, F5 has addressed three other vulnerabilities in NGINX:
1. CVE-2026-42946 (CVSS v4 score: 8.3): An excessive memory allocation issue in the ngx_http_scgi_module and ngx_http_uwsgi_module modules. A remote, unauthenticated attacker with adversary-in-the-middle capabilities could exploit this to read the memory of the NGINX worker process or cause it to restart when scgi_pass or uwsgi_pass is configured.
2. CVE-2026-40701 (CVSS v4 score: 6.3): A use-after-free vulnerability in the ngx_http_ssl_module module. This could allow a remote, unauthenticated attacker to have limited control over data modification or cause the NGINX worker process to restart when the ssl_verify_client directive is set to on or optional, and the ssl_ocsp directive is set to on.
3. CVE-2026-42934 (CVSS v4 score: 6.3): An out-of-bounds read vulnerability in the ngx_http_charset_module module. This could enable a remote, unauthenticated attacker to disclose memory contents or cause the NGINX worker process to restart when certain directives are configured.
Recommendations for Users
Users and administrators of NGINX are urged to:
– Update Immediately
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
