NGINX Rift (CVE-2026-42945): Affected versions, how to check, and workaround

On May 13, 2026, a serious vulnerability was disclosed in NGINX, one of the most widely used web servers in the world. The CVE identifier is CVE-2026-42945, codenamed NGINX Rift.

The CVSS v4.0 score is 9.2 (Critical). A proof-of-concept (PoC) exploit was published together with the oss-security mailing list disclosure and the research write-up from the finders, depthfirst, indicating that remote code execution (RCE) can be achieved without authentication or an existing session.

The flaw lives in ngx_http_rewrite_module, the URL rewriting module shipped with NGINX. Every version from 0.6.27 (released in 2008) through 1.30.0 is affected. The Hacker News describes it as "an 18-year-old defect that went undetected."

This article summarizes the affected products, how to check your environment, how to apply the patch, available workarounds, and the response from major distributions.

Affected NGINX versions

According to F5 Security Advisory K000161019 and the NGINX Security Advisories, the impact spans the entire NGINX family, including commercial editions.

Because 0.6.27 was released in July 2008, virtually every NGINX shipped over the past 18 years carries the bug. BleepingComputer notes that the affected scope effectively covers "all NGINX deployments currently running in production."

A practical caveat: NGINX is often bundled inside other products, such as PaaS reverse proxy layers, router management consoles, and Apache Traffic Server-like middleware. Even if you have not installed NGINX directly, a product you depend on may embed it.

How the rewrite-module bug works

The ngx_http_rewrite_module in NGINX rewrites URLs into different URLs. A common use case is forwarding requests for /old/foo to /new/foo.

According to the depthfirst analysis, a heap buffer overflow occurs when three conditions are present in the configuration:

1. A rewrite directive is followed by another rewrite, if, or set directive.
2. The replacement uses unnamed regex captures such as $1 or $2.
3. The replacement string (the second argument of rewrite) contains a question mark ?.

A matching configuration looks like the following.

location /api/ {
    rewrite ^/api/(.*)$ /internal?migrated=true&path;=$1 last;
    set $endpoint $1;
}

The core defect is that the buffer-size calculation and the actual write use different escaping assumptions. The size calculation uses the raw byte length without escaping, while the write path calls ngx_escape_uri(), which expands certain characters up to three bytes. The write therefore exceeds the allocated buffer and corrupts the heap.

The depthfirst automated analysis system reported that it found five security issues, including this vulnerability, within about six hours after starting its scan of the NGINX source code. Four of those were confirmed by NGINX.

Impact if compromised

The F5 advisory describes two outcomes when the bug is triggered: a worker-process restart (service disruption), and, under certain runtime conditions, remote code execution (RCE). RCE has environmental prerequisites.

F5 states the impact as "heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with ASLR disabled, code execution is possible."

ASLR (Address Space Layout Randomization) is a defense that randomizes memory layout to make this class of attack harder to land. It is enabled by default on the standard kernels of major Linux distributions such as RHEL, Ubuntu, and Debian, which narrows the window for reliable code execution on those systems. On older embedded devices, lightweight containers with ASLR disabled, or environments where kernel parameters have been manually adjusted, the precondition can hold.

The commands in the next section let you determine whether your configuration is in scope.

Version check and patch procedure

Start by checking which version of NGINX you are running. There are two commands that show version information: -v (lowercase) and -V (uppercase).

For vulnerability checking, the version number alone is enough, so nginx -v is sufficient. Use nginx -V when you also want to see dependency information.

# Version check
$ nginx -v
nginx version: nginx/1.28.0

# 1.30.0 or earlier is affected
# 1.30.1 / 1.31.0 or later is patched

If the version is 1.30.0 or earlier, the next step is to determine whether a matching configuration pattern exists.

# Dump all effective config and search for rewrite-related lines
$ nginx -T | grep -E 'rewrite|^\s*(if|set)\s'

# Or search files directly under /etc/nginx
$ grep -rni 'rewrite' /etc/nginx/

If any matching rewrite line contains unnamed captures like $1 or $2 together with a replacement string that includes ?, and a rewrite / if / set directive follows it, the configuration meets the trigger conditions.

Applying the patch:

# Debian / Ubuntu (when using the official nginx repo)
$ sudo apt update
$ sudo apt install --only-upgrade nginx

# RHEL / Rocky / AlmaLinux
$ sudo dnf update nginx

# Docker (official image)
$ docker pull nginx:1.30.1
$ docker pull nginx:1.31.0

# Kubernetes Ingress-NGINX (Helm)
$ helm repo update
$ helm upgrade ingress-nginx ingress-nginx/ingress-nginx

Workaround: If you cannot upgrade immediately, you can drop out of the trigger conditions by rewriting unnamed captures into named captures in the affected rewrite directives. After editing, run nginx -t to validate the config and nginx -s reload to apply it (no restart required).

# Before (vulnerable)
rewrite ^/api/(.*)$ /internal?migrated=true&path;=$1 last;
set $endpoint $1;

# After (named captures)
rewrite ^/api/(?<path>.*)$ /internal?migrated=true&path=$path last;
set $endpoint $path;

Response from CISA, F5, and the distributions

The status as of this writing (May 15, 2026) is summarized below.

F5 (NGINX maintainer): On May 13, 2026, F5 published Security Advisory K000161019 and released patches for NGINX Open Source 1.30.1 (stable), 1.31.0 (mainline), and NGINX Plus R36-1 on the same day. Commercial subscribers are receiving direct upgrade notifications in parallel.

CISA (Cybersecurity and Infrastructure Security Agency): CVE-2026-42945 is not yet listed on the Known Exploited Vulnerabilities Catalog (KEV) at the time of writing. There are no public reports of widespread in-the-wild exploitation. Given the public PoC and the breadth of the exposure, a near-term KEV listing is plausible.

Linux distributions: AlmaLinux has published patched packages in its testing repository and is preparing the stable rollout. CloudLinux and TuxCare have released advisories. Debian, Ubuntu, RHEL, and Rocky Linux security teams are working on their respective updates.

Exploitation observed so far: Between the PoC release and the time of writing, only limited scanning increases from specific source IPs have been observed, with no public reports of broad exploitation campaigns. Help Net Security echoes this assessment.

Related issues: Earlier in the same month, two Linux kernel local privilege escalation flaws were disclosed: Fragnesia (CVE-2026-46300) and Copy Fail (CVE-2026-31431). Together with the NGINX issue, they make a good occasion to review the full stack of long-running infrastructure.

References

• ▸ depthfirst - NGINX Rift: Achieving NGINX RCE via an 18-Year-Old Vulnerability (technical analysis by the finders)
• ▸ oss-security - NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 (official disclosure)
• ▸ F5 Security Advisory K000161019
• ▸ NGINX Security Advisories
• ▸ The Hacker News - 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE (May 14, 2026)
• ▸ BleepingComputer - 18-year-old NGINX vulnerability allows DoS, potential RCE (May 14, 2026)
• ▸ Cybernews - Critical NGINX exploit: hackers can crash servers, run remote code without authentication
• ▸ AlmaLinux - NGINX Rift CVE-2026-42945: Patched nginx available in testing