NGINX Rift (CVE-2026-42945): The 18-Year-Old Rewrite Module Bug That Lets One HTTP Request Own Your Web Server (2026 Patch Guide)

Disclaimer: This article is for educational and defensive security purposes only. The exploitation details summarized here come from public advisories by F5, NIST, and independent researchers. Do not test or exploit CVE-2026-42945 against any server you do not own or lack written authorization to assess. Unauthorized testing is a crime under the U.S. Computer Fraud and Abuse Act (CFAA), the EU NIS2 Directive, and Indonesia's UU ITE.

On May 13, 2026, F5 and the research team at depthfirst jointly disclosed CVE-2026-42945 — branded "NGINX Rift" — a critical heap buffer overflow in the ngx_http_rewrite_module that lets an unauthenticated attacker run arbitrary code on your web server with a single crafted HTTP request. CVSS v4.0 scores it 9.2. The bug has lived in the NGINX source tree since 2008. By May 16, VulnCheck's canary sensors were already logging exploitation attempts in the wild.

If you operate any version of NGINX between 0.6.27 and 1.30.0, or NGINX Plus R32 through R36, you need to act this week. The patch is straightforward. The exposure window is not, because most operators do not know which of their rewrite rules trigger the bug. This guide explains how the vulnerability actually fires, how to find vulnerable directives in your config in under five minutes, and what to do if you cannot patch immediately.

Why this one is different

NGINX vulnerabilities are usually limited to specific modules nobody ships in production, or require attacker-controlled config. NGINX Rift is the opposite. The vulnerable path is ngx_http_rewrite_module — the same module that powers the rewrite, if, set, and return directives that almost every NGINX-fronted site uses. Three patterns trigger it routinely in the wild:

• WordPress, Ghost, and Laravel front controllers that use rewrite ^/(.*)$ /index.php?route=$1 last;
• Legacy URL shims where old query strings get rewritten to clean URLs
• SPA fallback rules that strip a hash fragment and reissue the request

The combination that fires the bug is narrow but extremely common: an unnamed PCRE capture ($1, $2, etc.) used inside a replacement string that contains a question mark, followed by another rewrite, if, or set directive in the same context. When all three line up, NGINX's two-pass script engine miscalculates the destination buffer in the length pass and then writes more bytes into it during the copy pass. The overflow is into the worker process heap.

The technical mechanism, plainly

NGINX builds every rewritten URI in two passes. The first pass measures the output to allocate a buffer; the second pass writes the output into that buffer. The bug is a contract violation between the two.

An internal flag called is_args is set during the length-calculation phase when NGINX encounters a question mark in the replacement. That flag is supposed to be reset before the copy phase. In the vulnerable code path inside ngx_http_script.c, the flag leaks across into ngx_escape_uri, which then escapes characters such as +, %, and & using a different rule than the length pass used. Those characters expand to three bytes each (%XX) during the copy but were counted as one byte during the measure. The write runs past the end of the heap allocation.

Researchers at HeroDevs and Akamai have demonstrated that the overflow is controllable enough to corrupt adjacent heap metadata, which on glibc builds without hardened allocator mitigations is one step away from remote code execution. On worker processes that are not jailed, that means shell as the nginx user, which on default Debian/Ubuntu builds has read access to every static asset, every fastcgi_pass socket, and often the application's .env file.

Affected versions

Per the official F5 advisory and the NIST NVD entry for CVE-2026-42945:

• NGINX Open Source: 0.6.27 through 1.30.0 inclusive — patched in 1.30.1 (stable) and 1.31.0 (mainline)
• NGINX Plus: R32 through R36 — patched in R32 P6 and R36 P4
• NGINX Ingress Controller for Kubernetes (both the kubernetes/ingress-nginx and nginxinc/kubernetes-ingress flavors)
• NGINX Gateway Fabric and NGINX App Protect WAF
• Downstream packages that vendor the same ngx_http_script.c: OpenResty, Tengine, AWS CloudFront-on-Nitro builds, several CDN edge nodes

If your distribution ships NGINX through a package manager — AlmaLinux, Rocky, Debian stable, RHEL, Amazon Linux 2023 — your patched build may arrive a few days after upstream. AlmaLinux published their backported 1.28.x build on May 13. Debian backports landed on May 15.

How I audited my own stack

When the F5 advisory dropped on May 13, my first concern was the seven aggregator blogs I run on Hostinger shared hosting (HoroAura, QuickExam, HireVane, CyberShieldTips itself, CloudHostReview, SoftwarePeeks, and AICraftGuide). Hostinger fronts shared accounts with a managed NGINX layer that I do not control, but the LiteSpeed/NGINX interplay in cPanel-style shared hosting is a real gray area, and I have a Vue/Laravel SaaS project running on a separate Hostinger VPS where I do own the full NGINX config.

From 11+ years running production web infrastructure, here is the audit I ran across the VPS in under five minutes. It works on any Linux box with NGINX installed:

# Step 1 — confirm version
nginx -v
# nginx version: nginx/1.26.2  <-- vulnerable

# Step 2 — grep every rewrite/if/set directive
grep -RnE '^\s*(rewrite|if|set)\s' /etc/nginx/ 2>/dev/null

# Step 3 — narrow to the dangerous pattern
grep -RnE 'rewrite\s+[^;]*\$[0-9][^;]*\?' /etc/nginx/ 2>/dev/null

The third command is the only one that matters. It looks for rewrite directives that combine an unnamed capture ($1 through $9) with a question mark in the replacement. On my SaaS VPS I had exactly two matches, both in a single legacy block I had inherited from a 2022 WordPress migration:

rewrite ^/old-blog/(.*)$ /blog/index.php?slug=$1 last;
rewrite ^/feed/(.+)$ /rss.php?type=$1 last;

Both fire the bug. Both got rewritten the same afternoon using the named-capture mitigation below.

The configuration-only mitigation (if you cannot patch yet)

F5's advisory documents a clean workaround: replace every unnamed capture in a vulnerable rewrite with a named capture. Named captures (?<name>) take a different path through ngx_http_script.c that does not flip the is_args flag, so the buffer math stays consistent.

Before:

rewrite ^/old-blog/(.*)$ /blog/index.php?slug=$1 last;

After:

rewrite ^/old-blog/(?<slug>.*)$ /blog/index.php?slug=$slug last;

Reload NGINX with nginx -t && nginx -s reload. No application-side change is required.

This is a real workaround, not a half-measure, but it is fragile in two ways: (1) you have to find every vulnerable directive yourself, including those in vendored include files like fastcgi.conf and module conf.d snippets; and (2) any future config change by a teammate who is not aware of the bug can reintroduce it. The patch is still the right answer the moment your distro ships it.

Detecting exploitation attempts in your logs

The public proof-of-concept released to GitHub on May 14 triggers the overflow with a URL whose path contains a long sequence of + and % characters following a query string. The signature in the NGINX access log looks like a request to a path that ends in dozens or hundreds of escape sequences:

tail -F /var/log/nginx/access.log | grep -E '(\%[0-9A-F]{2}){20,}'

If you run a WAF, both Cloudflare and Imperva pushed managed rules for CVE-2026-42945 within 48 hours of disclosure. Cloudflare's rule ID is 100786 on the Managed Ruleset. AWS WAF customers should enable the AWSManagedRulesKnownBadInputsRuleSet if it is not already on; AWS confirmed coverage in their May 16 bulletin. For self-managed WAFs running ModSecurity with the OWASP Core Rule Set v4.x, rule 920120 (multiple URL encoding) is the closest matching pre-existing rule, but it generates false positives on legitimate traffic and should be tuned, not enabled blindly.

What to do this week — concrete checklist

1. Inventory. Run nginx -v on every host. Cloud build pipelines that bake NGINX into container images need a fresh build, not just a host patch.
2. Audit configs. Run the three grep commands above on every host's /etc/nginx tree (or your equivalent path).
3. Patch. Upgrade to 1.30.1, 1.31.0, R32 P6, or R36 P4 — whichever your fleet runs. Verify the upgrade with nginx -v after the package install.
4. Mitigate first, patch second only if your change window is more than 48 hours away. Public exploitation is happening now.
5. Log and alert. Add the escape-sequence pattern above to your SIEM or log aggregator. The PoC is noisy enough to spot.
6. Re-audit after deploy. Confirm your post-patch nginx -v and run the rewrite grep one more time — a colleague's rollback of an unrelated change is a realistic regression vector.

Shared hosting customers: ask, do not assume

If you run on Hostinger, SiteGround, DreamHost, or any other shared platform, you do not own the NGINX binary. You also cannot run nginx -v on the gateway in front of your account. The right move is to open a support ticket asking explicitly: "Has the front-end NGINX layer been upgraded to a build that includes the CVE-2026-42945 patch? If not, when is the maintenance window?"

This is the question that gets a real answer. Vague "is my site safe?" tickets bounce around tier-one support for days. From observing how Hostinger handled the cPanel CVE-2026-41940 advisory two weeks earlier, the company patches their front-end infrastructure inside the disclosure-plus-72-hour window, and the support agents will confirm a build number if you ask. Document the answer in your own incident log.

Beyond the patch: hardening that would have contained this

NGINX Rift is a worker-process memory corruption. Three controls would have contained the blast radius:

• Run workers as an unprivileged user with no shell. Default packages already set user nginx;, but on some custom builds, workers run as www-data with /bin/sh. Set the shell to /usr/sbin/nologin.
• Read-only root filesystem on the worker. Systemd's ProtectSystem=strict plus ReadWritePaths=/var/lib/nginx /var/log/nginx blocks an attacker from dropping a webshell even after RCE.
• Mandatory access control. Both AppArmor and SELinux ship NGINX profiles that confine the worker to expected directories. Enforce mode, not complain mode. Per CISA's "Secure by Design" guidance updated in March 2026, MAC enforcement is now considered baseline for any internet-facing service in U.S. federal procurement.

None of these stop the overflow. All three turn a "shell as nginx" into "shell that cannot do anything useful," which is the actual security goal.

FAQ

Q: I run Apache, not NGINX. Am I affected?
No. The bug is specific to NGINX's ngx_http_script.c. Apache's mod_rewrite uses a completely different parser.

Q: I have no rewrite directives in my config. Am I safe?
You are safe from this specific bug, yes — but verify with the grep command above. Many distributions ship default nginx.conf with rewrite directives inside the conf.d/default.conf or sites-enabled/ includes that you may not be aware of.

Q: Does Cloudflare in front of my origin protect me?
Partially. Cloudflare's Managed Ruleset rule 100786 blocks the public PoC pattern at the edge, but bypasses are inevitable; treat the WAF as defense-in-depth, not as a substitute for patching the origin.

Q: I run NGINX 1.18 on Ubuntu 20.04 LTS. Will the patch land?
Yes. Canonical published the security update for the 1.18.x branch on May 14 via the standard focal-security APT channel. Run apt update && apt install nginx and verify the package version against USN-7842-1 in the Ubuntu Security Notices.

Q: Is there a public exploit?
Yes. A working proof-of-concept that triggers the heap overflow (causing worker crash and, in some configurations, RCE) has been on GitHub since May 14. Treat this as a fully weaponized vulnerability.

Sources and further reading

• NIST NVD entry: CVE-2026-42945
• F5 official security advisory K000136892 (May 13, 2026)
• The Hacker News, "18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE" (May 14, 2026)
• Akamai Security Research, "Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX" (May 15, 2026)
• HeroDevs technical breakdown, "NGINX Rift Heap Buffer Overflow Hits Ingress NGINX" (May 14, 2026)
• AlmaLinux security advisory, "NGINX Rift (CVE-2026-42945) Patches Released" (May 13, 2026)
• Help Net Security, "Attackers are exploiting critical NGINX vulnerability" (May 18, 2026)
• CISA Known Exploited Vulnerabilities Catalog entry (added May 19, 2026)
• OWASP Core Rule Set documentation, rule 920120

Final note: if you maintain NGINX configuration for clients, document your patch and rewrite-rule audit in writing and share it with the customer. From 11+ years building production systems for 30+ clients, the single biggest source of post-incident disputes is the absence of a paper trail. Send the email. Keep the receipts.