Cybersecurity researchers are warning that attackers have already started exploiting a newly disclosed NGINX vulnerability, tracked as CVE-2026-42945, just days after technical details and proof-of-concept code became public. The flaw, also referred to as NGINX Rift, affects millions of potentially exposed servers and has raised concerns across the security community due to its potential impact on core internet infrastructure.
Security researcher Patrick Garrity of VulnCheck revealed on Saturday that exploitation attempts targeting CVE-2026-42945 were detected shortly after disclosure. The vulnerability was publicly announced the previous week and is considered critical because it can be abused to trigger denial-of-service conditions and may also enable unauthenticated remote code execution under specific circumstances.
What Is NGINX and Why the Vulnerability Matters
NGINX is one of the most widely used web servers in the world and serves as a foundational component of modern internet infrastructure. In addition to functioning as a web server, it is commonly deployed as a load balancer, reverse proxy, and HTTP cache.
The software is maintained by application delivery and networking company F5, which oversees the development of both the open-source edition, known as NGINX Open Source, and the commercial offering, NGINX Plus. The company has also integrated NGINX into several of its security and application delivery products.
Because of NGINX’s extensive global deployment, the discovery of NGINX Rift and the rapid emergence of exploitation attempts have intensified concerns about large-scale exposure.
Technical Details Behind CVE-2026-42945
The NGINX vulnerability CVE-2026-42945 is classified as a memory corruption flaw affecting NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus versions R32 through R36. Several F5 products that incorporate NGINX are also impacted, including NGINX Ingress Controller and F5 WAF for NGINX.
Researchers explained that the flaw originates in the ngx_http_rewrite_module. According to the disclosure, a remote and unauthenticated attacker can corrupt heap memory within an NGINX worker process by sending a specially crafted HTTP request.
The vulnerability is triggered through a relatively common configuration pattern involving rewrite directives that use unnamed regular expression captures such as $1 or $2, combined with a replacement string containing a question mark and followed by another rewrite, if, or set directive.
Researchers who uncovered the flaw stated:
“A bug in the ngx_http_rewrite_module lets a remote, unauthenticated attacker corrupt the heap of an NGINX worker process by sending crafted URI.”
They further explained that NGINX calculates a destination buffer using one set of escaping assumptions but writes data using another, ultimately causing writes beyond the allocated memory region.
According to the researchers:
“The write runs past the allocated buffer, producing deterministic memory corruption. The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random.”
The researchers also warned that repeated malicious requests could force NGINX workers into continuous crash loops, severely affecting the availability of websites and applications hosted on vulnerable systems.
Patches and Mitigation Measures Released
F5 has already released fixes for the NGINX vulnerability CVE-2026-42945 across multiple products. The issue has been addressed in:
- NGINX Open Source versions 1.31.0 and 1.30.1
- NGINX Plus versions R36 P4 and R32 P6
- F5 WAF for NGINX v5.13.0
- F5 DoS for NGINX v4.9.0
In addition to software updates, F5 recommended a mitigation strategy for organizations unable to patch immediately. The company advised administrators to replace unnamed regex captures in rewrite rules with named captures to reduce exposure to NGINX Rift attacks.
Meanwhile, Linux distribution maintainers, including AlmaLinux, Ubuntu, and Debian developers, have started rolling out patched NGINX packages to address CVE-2026-42945.
With exploitation attempts already underway, security experts are urging organizations to review their NGINX configurations, apply available patches immediately, and audit rewrite rules that may expose systems to the NGINX vulnerability.
