BIP Pennsylvania News

collapse
Close menu
×
Home / Daily News Analysis / Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

May 26, 2026  Twila Rosenbaum  3 views
Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)

A critical security vulnerability in the widely used NGINX web server software, designated CVE-2026-42945, is currently being actively exploited by attackers. The flaw, which security researchers have dubbed 'NGINX Rift,' was disclosed just last week and proof-of-concept exploit code was quickly released, leading to a surge in exploitation attempts observed since May 16, 2026. The vulnerability poses a significant threat due to NGINX's dominant position as a foundational component of modern web infrastructure.

Background on NGINX

NGINX (pronounced 'engine-x') is the most widely deployed web server globally, used by a substantial portion of the internet's busiest websites. Beyond serving web pages, NGINX also functions as a reverse proxy, load balancer, and HTTP cache. Its high performance, stability, rich feature set, and low resource consumption have made it the go-to choice for many organizations. The software is developed and maintained by F5 Networks, which offers both an open-source version (NGINX Open Source) and a commercial version (NGINX Plus). F5 also integrates NGINX into several of its application delivery and security products, including the NGINX Ingress Controller for Kubernetes and F5's Web Application Firewall (WAF) and denial-of-service (DoS) protection modules. Given this widespread adoption, a critical vulnerability in NGINX can have far-reaching consequences across the internet ecosystem.

Vulnerability Details: CVE-2026-42945

CVE-2026-42945 is a memory corruption vulnerability residing in the ngx_http_rewrite_module of NGINX. The flaw affects NGINX Open Source versions from 0.6.27 through 1.30.0, as well as NGINX Plus versions R32 through R36. Additionally, several F5 products that incorporate NGINX are also impacted, such as NGINX Ingress Controller, F5 WAF for NGINX, and F5 DoS for NGINX. The vulnerability allows a remote, unauthenticated attacker to corrupt the heap memory of an NGINX worker process by sending a specially crafted HTTP request containing a malicious URI.

The root cause lies in a specific configuration pattern: a rewrite directive that uses an unnamed regex capture (e.g., $1, $2) combined with a replacement string that includes a question mark, followed by another rewrite, if, or set directive. When this pattern is present, NGINX incorrectly calculates the destination buffer size based on one set of escaping assumptions, but then writes to it using different assumptions. This mismatch causes the write operation to exceed the allocated buffer, leading to deterministic memory corruption. Critically, the bytes written past the buffer are derived from the attacker-controlled URI, meaning the corruption is shaped by the attacker rather than being random.

This vulnerability can be reliably exploited to trigger a denial-of-service (DoS) condition by repeatedly crashing NGINX worker processes, thereby degrading or completely disrupting the availability of all websites served by the affected instance. Moreover, under certain circumstances – specifically if the attacker can disable Address Space Layout Randomization (ASLR) on the target server – the flaw can potentially allow for unauthenticated remote code execution (RCE). This dual threat of DoS and potential RCE makes CVE-2026-42945 particularly dangerous.

Exploitation in the Wild

Security researcher Patrick Garrity of VulnCheck reported on May 17, 2026, that the company's canary systems began flagging exploitation attempts just three days after the vulnerability and proof-of-concept (PoC) exploit were made public. The PoC was developed by researchers at Depthfirst, who discovered the vulnerability using their AI-native vulnerability detection platform. While the immediate exploitation observed was primarily for causing denial of service, the potential for code execution exists for attackers who can first disable ASLR on the target system. Kevin Beaumont, another prominent security researcher, corroborated this assessment.

It is important to note that not every NGINX instance is vulnerable. The vulnerability only exists on servers running a specific rewrite configuration that includes the problematic pattern. A Censys search conducted by the VulnCheck team revealed roughly 5.7 million internet-exposed NGINX servers running a potentially vulnerable version. However, the truly exploitable population – those with the vulnerable rewrite configuration – is likely to be a much smaller, yet still significant, subset. Attackers are scanning the internet for vulnerable configurations and launching targeted attacks.

Mitigations and Fixes

F5 has released patches for all affected product lines. The fixed versions include:

  • NGINX Open Source: versions 1.31.0 and 1.30.1
  • NGINX Plus: versions R36 P4 and R32 P6
  • F5 WAF for NGINX: version 5.13.0
  • F5 DoS for NGINX: version 4.9.0

In addition to applying patches, F5 has provided a mitigation that can be implemented without upgrading: using named captures instead of unnamed captures in rewrite definitions. This simple configuration change avoids the memory corruption bug entirely. Linux distributions, including AlmaLinux, Ubuntu, and Debian, have also started releasing patched nginx packages to their repositories. System administrators are strongly urged to update their NGINX installations as soon as possible, especially if their configuration uses rewrite rules with regex captures. Given the active exploitation, delaying the update could leave systems exposed to service disruption or compromise.

Impact and Recommendations

The exploitation of CVE-2026-42945 underscores the importance of promptly applying security patches, particularly for critical infrastructure components like web servers. The vulnerability's potential for both denial of service and remote code execution makes it a high-priority concern for any organization running NGINX. Even organizations that do not use rewrite rules should verify their NGINX version and update to the latest patched release to protect against future exploitation attempts targeting other vulnerabilities. Security teams should review their NGINX configurations for the pattern described, consider using named regex captures as a temporary workaround, and monitor for any suspicious activity indicative of exploitation. The incident also highlights the role of AI-powered vulnerability detection platforms in discovering such flaws before they are weaponized at scale, although the rapid release of PoCs following disclosure remains a challenge for defenders. As always, a proactive patch management strategy is essential to maintaining a robust security posture against emerging threats.


Source: Help Net Security News


Share:

Related posts
Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.