On May 18, 2026, threat intelligence teams confirmed that a critical, newly disclosed vulnerability in NGINX—the world’s most widely deployed web server, reverse proxy, and load balancer—is under active, in-the-wild exploitation.
Dubbed “NGINX Rift” and tracked as CVE-2026-42945 (CVSS v4.0 Score: 9.2), the underlying memory corruption flaw had lurked undetected within the NGINX core engine for 18 years, dating back to version 0.6.27 released in 2008. Following official patch releases by F5 Networks on May 13, independent security researchers at Depthfirst published a functional public Proof-of-Concept (PoC) exploit.
According to Patrick Garrity, a lead security researcher at VulnCheck, automated scanning networks and opportunistic threat actors weaponized the public PoC within 72 hours. VulnCheck’s global network of canary honey-pots began registering live, unauthenticated exploitation attempts aimed at compromising internet-facing corporate perimeters.
The Vulnerability Mechanics: Inside the Dual-Pass Heap Overflow
The NGINX Rift vulnerability lives inside the ngx_http_rewrite_module, an architectural component used by web administrators to manage URL redirections, rewrite HTTP rules, and route traffic to backend API pools.
The underlying defect stems from a size-mismatch calculation error during a two-pass string evaluation process within NGINX’s internal script routing engine:
- Pass One (Size Calculation): When a user supplies an HTTP request containing a URI, NGINX evaluates the rewrite block. If the configuration utilizes an unnamed Perl-Compatible Regular Expression (PCRE) capture group (such as $1 or $2) alongside a replacement string that contains a literal question mark (?), NGINX calculates the required heap destination buffer size using one escaping standard.
- Pass Two (Memory Allocation & Copy): When copying the data into the freshly allocated buffer, the internal state changes. Characters like +, %, and & expand unexpectedly under a secondary re-escaping filter.
- The Overflow: Because the string expands during the write phase but not the sizing phase, the data spills past the allocated heap boundary.
Crucially, because the out-of-bounds bytes are pulled directly from the attacker-controlled URI string, the memory corruption is structurally deterministic rather than random. This precision substantially increases the long-term risk of the flaw.
Impact Assessment: DoS vs. Remote Code Execution (RCE)
The real-world exploitability of NGINX Rift depends heavily on the host operating system’s defensive parameters and localized configuration files:
- Denial of Service (DoS): On standard, out-of-the-box deployments, a single malformed HTTP request reliably triggers a heap smash, forcing the targeted NGINX worker process to crash instantly. While NGINX is designed to automatically spin up a new worker process following a crash, automated script loops can continuously drop workers into an endless crash loop, causing complete denial-of-service conditions for every site hosted on the instance.
- Remote Code Execution (RCE): Achieving unauthenticated remote code execution requires two rare operational factors: the target server must use a specific nested rule context (where a vulnerable rewrite directive is immediately followed by a secondary rewrite, if, or set command), and Address Space Layout Randomization (ASLR) must be disabled.
Operating system maintainers, including AlmaLinux, noted that because ASLR is enforced by default on modern enterprise Linux distributions, building a generic, stable RCE exploit is mathematically difficult on default systems. However, threat intelligence teams warn that “difficult” does not equal “impossible,” and the baseline DoS exposure remains an urgent threat to operational availability.
Massive Perimeter Exposure: 5.7 Million Servers Running Vulnerable Builds
Data harvested from the Censys attack-surface mapping engine indicates that approximately 5.7 million internet-exposed NGINX instances are currently running software builds within the affected version range.
- NGINX Open Source: Affected versions include 0.6.27 through 1.30.0. The remediation target is version 1.30.1, 1.31.0, or later.
- NGINX Plus: Affected versions include release R32 through R36. The remediation target is release R32 P6, R36 P4, or later.
- F5 WAF for NGINX: Affected versions include 5.9.0 through 5.12.1. The remediation target is version 5.13.0 or later.
- NGINX Ingress Controller: Affected versions include 3.5.0 through 5.4.1. The remediation target is upstream patched images.
While only a fractional subset of these millions of servers host the exact configuration string required to move from a worker crash to full RCE, the massive footprint makes NGINX an incredibly lucrative playground for automated, opportunistic initial access brokers.
Defensive Directives: Urgent Configuration Hardening
With active exploit scripts circulating in the wild, systems administrators cannot afford to delay patch cycles. Enterprise security operations should execute a dual-layered containment strategy immediately:
1. Implement Immediate Configuration Mitigations
If your infrastructure teams cannot immediately schedule a maintenance window to upgrade production binaries or restart core load balancers, you can neutralize the exploit path by rewriting your nginx.conf logic. Eliminate unnamed PCRE variables by converting them into named captures.
Instead of writing a vulnerable syntax pattern like:
rewrite ^/api/(.*)$ /v2/route?id=$1;
Administrators should swap to a hardened mitigation syntax like:
rewrite ^/api/(?<tenant_id>.*)$ /v2/route?id=$tenant_id;
Using named captures changes the internal compilation path, completely bypassing the mismatched dual-pass code block.
2. Verify System-Level Memory Safeguards
Audit your core cloud images and container deployment scripts to verify that system-level kernel hardening features are functioning as intended. Run the following command on target Linux instances to ensure ASLR is actively protecting memory structures:
cat /proc/sys/kernel/randomize_va_space
Verify that the output returns a value of 2 (Full Randomization). If it returns 0, your system is highly vulnerable to remote code execution.
