The primary in-the-wild assaults exploiting a critical-severity NGINX vulnerability patched final week have occurred over the weekend, VulnCheck warns.
Tracked as CVE-2026-42945 (CVSS rating of 9.2) and dubbed Nginx Rift, the flaw is described as a heap buffer overflow within the ngx_http_rewrite_module element. It lurked within the NGINX code for 16 years.
Shortly after F5 launched patches for the bug, Depthfirst revealed technical particulars and proof-of-concept (PoC) code focusing on it. Now, VulnCheck says risk actors are already exploiting the problem in assaults.
“We’re seeing energetic exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting each NGINX Plus and NGINX Open Supply on VulnCheck Canaries simply days after the CVE was revealed,” VulnCheck researcher Patrick Garrity warned.
The security defect exists as a result of the script engine depends on a two-pass course of to calculate the buffer dimension and duplicate knowledge to it, and since the interior engine state modifications between these passes. In sure circumstances, an unpropagated flag leads to attacker-supplied knowledge being written previous the heap boundary.
On default deployments, profitable exploitation of the CVE would set off a server restart, inflicting a denial-of-service (DoS) situation. If Handle House Format Randomization (ASLR) is disabled, the vulnerability can result in distant code execution (RCE).
As VulnCheck factors out, the bug may be exploited remotely, with out authentication, by way of crafted HTTP requests, however requires a particular rewrite configuration.
Whereas crashing the NGINX employee course of is pretty trivial with a single crafted request, reaching RCE is harder, as most deployments have ASLR enabled by default.
“Our Censys question surfaces roughly 5.7M internet-exposed NGINX servers operating a probably weak model, although the really exploitable inhabitants is more likely to be a a lot smaller subset of these,” VulnCheck says.
The vulnerability calls for pressing consideration, security researchers warn. Wider exploitation makes an attempt in opposition to weak deployments are to be anticipated, particularly because the public PoC can be utilized to disable ASLR and obtain RCE.
