Cybersecurity researchers have disclosed a number of security vulnerabilities impacting NGINX Plus and NGINX Open, together with a crucial flaw that remained undetected for 18 years.
The vulnerability, found by depthfirst, is a heap buffer overflow problem impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 rating: 9.2) that might permit an attacker to attain distant code execution or trigger a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift.
“NGINX Plus and NGINX Open Supply have a vulnerability within the ngx_http_rewrite_module module,” F5 stated in an advisory launched Wednesday. “This vulnerability exists when the rewrite directive is adopted by a rewrite, if, or set directive and an unnamed Perl-Appropriate Common Expression (PCRE) seize (for instance, $1, $2) with a alternative string that features a query mark (?).”
“An unauthenticated attacker, together with circumstances past its management, can exploit this vulnerability by sending crafted HTTP requests. This will trigger a heap buffer overflow within the NGINX employee course of, resulting in a restart. Moreover, for techniques with Deal with Area Structure Randomization (ASLR ) disabled, code execution is feasible.”
The problem has been addressed within the following variations after accountable disclosure on April 21, 2026 –
- NGINX Plus R32 – R36 (Fixes launched in R32 P6 and R36 P4)
- NGINX Open Supply 1.0.0 – 1.30.0 (Fixes launched in 1.30.1 and 1.31.0)
- NGINX Open Supply 0.6.27 – 0.9.7 (No fixes deliberate)
- NGINX Occasion Supervisor 2.16.0 – 2.21.1
- F5 WAF for NGINX 5.9.0 – 5.12.1
- NGINX App Defend WAF 4.9.0 – 4.16.0
- NGINX App Defend WAF 5.1.0 – 5.8.0
- F5 DoS for NGINX 4.8.0
- NGINX App Defend DoS 4.3.0 – 4.7.0
- NGINX Gateway Material 1.3.0 – 1.6.2
- NGINX Gateway Material 2.0.0 – 2.5.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 5.0.0 – 5.4.1
In its personal advisory, depthfirst stated the vulnerability may permit a distant, unauthenticated attacker to deprave the heap of an NGINX employee course of by sending a crafted URI. What makes the vulnerability extreme is that it is reachable with out authentication, might be reliably used to set off the heap overflow, and might result in distant code execution within the NGINX employee course of.
“An attacker who can attain a weak NGINX server over HTTP can ship a single request that overflows the heap within the employee course of and achieves distant code execution,” depthfirst stated. “There isn’t any authentication step, no prior entry requirement, and no want for an present session.”
“The bytes written previous the allocation are derived from the attacker’s URI, so the corruption is formed by the attacker quite than random. Repeated requests will also be used to maintain employees in a crash loop and degrade availability for each website served by the occasion.”
Additionally patched in NGINX Plus and NGINX Open Supply are three different flaws –
- CVE-2026-42946 (CVSS v4 rating: 8.3) – An extreme reminiscence allocation vulnerability within the ngx_http_scgi_module and ngx_http_uwsgi_module modules that might permit a distant, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to regulate responses from an upstream server to learn the reminiscence of the NGINX employee course of or restart it when scgi_pass or uwsgi_pass is configured.
- CVE-2026-40701 (CVSS v4 rating: 6.3) – A use-after-free vulnerability within the ngx_http_ssl_module module that might permit a distant, unauthenticated attacker to have restricted management of modification of knowledge or restart the NGINX employee course of when the ssl_verify_client directive is ready to “on” or “non-compulsory,” and the ssl_ocsp directive is ready to “on.”
- CVE-2026-42934 (CVSS v4 rating: 6.3) – An out-of-bounds learn vulnerability within the ngx_http_charset_module module that might permit a distant, unauthenticated attacker to reveal reminiscence contents or restart the NGINX employee course of when charset, source_charset, and charset_map, and proxy_pass with disabled buffering (“off”) directives are configured.
Customers are suggested to use the most recent variations for optimum safety. If rapid patching just isn’t an possibility for CVE-2026-42945, customers are suggested to alter the rewrite configuration by changing unnamed captures with named captures in each affected rewrite directive.
