NGINX Rift CVE-2026-42945: 18-Year Flaw Opens Every Rewrite Server to Root-Level RCE

The buffer overflow in CVE-2026-42945 originates from a design flaw in how ngx_http_rewrite_module processes URL rewrite replacements containing both a question mark and unnamed PCRE capture groups.

Nginx processes rewrite directives in two sequential passes. The first pass estimates the size of the destination buffer needed to store the rewritten URL. The second pass writes the transformed result into that allocated buffer. The vulnerability emerges when these two passes handle the same characters differently under specific conditions.

When a rewrite directive contains a question mark in the replacement string, nginx sets an internal flag called is_args permanently for the remainder of that request's rewrite chain. This flag signals that the URL contains query arguments and triggers URI encoding for special characters during the write phase. The allocation phase calculates buffer size without accounting for the escaping expansion that is_args will cause in the same directive scope.

The trigger condition requires three elements in the nginx configuration: a rewrite directive using an unnamed PCRE capture group ($1 or $2 syntax), a replacement string containing a literal question mark, and a second rewrite, if, or set directive in the same location or server block scope following the initial rewrite. When all three conditions are present, the allocation pass calculates a buffer that is too small for the data the write pass will produce. The write pass overflows the buffer into adjacent heap memory, corrupting internal nginx state.

Researchers at depthfirst published a working proof-of-concept on May 13, 2026 alongside their full technical paper. The PoC demonstrates complete code execution in environments where ASLR is disabled, which is common in container-based deployments and older Linux distributions. In ASLR-enabled environments, the primary impact is a repeatable denial of service: the nginx worker process crashes and is automatically restarted by the master process, dropping all in-flight connections handled by that worker during the restart window. The CVSS 9.2 score reflects the worst-case RCE scenario as documented by the National Vulnerability Database.

CVE-2026-42945 affects nginx versions 0.6.27 through 1.30.0, covering every stable and mainline release issued between 2008 and May 13, 2026. This 18-year window means no nginx deployment that shipped before the patch exists without the vulnerable code in its rewrite module.

The affected range covers nginx 1.24.x, 1.26.x, and 1.28.x — the most widely deployed stable versions in production as of 2026. Nginx powers approximately 34% of all active websites globally according to W3Techs data from May 2026. The nginx open-source distribution also forms the foundation for commercial products including NGINX Plus and the NGINX Ingress Controller for Kubernetes. Organizations running Kubernetes ingress controllers based on nginx must verify whether their ingress controller version incorporates the patch.

Which configurations are vulnerable? Exploitation requires the specific three-element rewrite pattern: unnamed PCRE capture group, question mark in replacement, followed by another rewrite-type directive. Standard reverse proxy configurations using only proxy_pass without rewrite directives are not affected. Configurations using rewrite directives with named capture groups are not affected. WordPress permalink configurations, Django URL dispatching setups, and many Node.js reverse proxy templates commonly use the vulnerable unnamed-capture pattern, placing a large proportion of production nginx deployments in scope.

The nginx rewrite module vulnerability is not present in Prisma Access, Cloud NGFW, or Panorama appliances. It is limited to deployments of the open-source nginx binary and products built on it.

The fixed version is nginx 1.30.1, released May 13, 2026. Ubuntu, Debian, Red Hat Enterprise Linux, and Alpine Linux all pushed updated packages by May 14, 2026, per The Hacker News coverage of the disclosure.

A working proof-of-concept for CVE-2026-42945 became publicly available on May 13, 2026, the same day as the full vulnerability disclosure. Researchers at depthfirst published both the technical analysis and the exploit code in their paper "NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability."

No confirmed in-the-wild exploitation had been reported as of May 15, 2026. Several factors indicate that active scanning is underway. The vulnerability requires no authentication, making automated probing feasible with minimal infrastructure. The GitHub repository for the nginx-rift proof-of-concept is publicly accessible, and Shodan and Censys continuously index internet-facing nginx servers. Security researchers at Picus Security noted in their May 13 analysis that the conditions triggering the vulnerability appear in the majority of reverse-proxy setups serving dynamic web applications.

CISA had not added CVE-2026-42945 to its Known Exploited Vulnerabilities catalog as of May 15, 2026. Based on CISA's historical pattern of adding vulnerabilities with public proof-of-concept code within 72 hours of confirmed in-the-wild exploitation, federal agencies should treat this as a likely near-term KEV addition and prioritize patching now rather than waiting for an official deadline.

The threat actor profile for initial exploitation follows the standard post-disclosure pattern: opportunistic automated scanners will probe at scale before targeted actors adapt the PoC for specific campaigns. The 48-hour window between public PoC availability and first confirmed exploitation has been documented across previous high-profile server vulnerabilities. Security teams that applied emergency patches for the CVE-2026-33032 nginx-ui MCPwn authentication bypass within two days of that disclosure found themselves ahead of confirmed exploitation by approximately 24 hours.

Two detection layers provide the earliest warning of CVE-2026-42945 exploitation: nginx process monitoring and HTTP access log analysis.

Process-level detection: CVE-2026-42945 exploits cause the nginx worker process to crash with a segmentation fault. Nginx logs these crashes to the error log as "worker process [PID] exited on signal 11." A single crash may be a transient error. Two or more crashes from the same remote IP address within 60 seconds indicate automated exploitation scanning and should trigger immediate investigation and block action. Configure alerting on this pattern in your SIEM with a threshold of two or more occurrences per source IP per minute.

Access log detection: The malicious request must target a URI location served by a rewrite rule with the vulnerable three-element pattern. Exploitation attempts appear in nginx access logs as requests to rewrite-mapped locations with anomalous URI structures, particularly unexpected query string expansions in locations that normally do not process complex query parameters. Log analysis rules that baseline normal request patterns for rewrite-enabled locations will surface deviations within hours of a scanning campaign targeting your infrastructure.

Network behavior detection: Successful RCE via CVE-2026-42945 results in the nginx worker process establishing outbound connections to attacker-controlled infrastructure. Monitor for any outbound TCP connection initiated from the nginx worker process user to external IP addresses. This activity has no legitimate operational cause and indicates post-exploitation code execution.

The four detection artifacts listed below cover the full exploitation chain from initial crash through post-exploitation network behavior.

Patches for CVE-2026-42945 are available now. Nginx 1.30.1 was released on May 13, 2026, the same day as the public disclosure and proof-of-concept publication. Every major Linux distribution pushed updated packages by May 14. Upgrading is the complete fix. No configuration change removes the vulnerability from nginx versions below 1.30.1.

The interim workaround of converting unnamed capture groups to named capture groups is viable for organizations that cannot patch immediately due to maintenance windows or change-freeze policies. Named capture groups use a different code path in ngx_http_rewrite_module that does not exhibit the size-calculation mismatch. The syntax change is minimal: a rule like "rewrite ^/(.) /$1?q=1 last" becomes "rewrite ^/(?P<path>.) /$path?q=1 last." Test all rewrite rules after this conversion to verify URL routing behavior is unchanged.

For defense-in-depth beyond patching, restrict file-system write access for the nginx worker user. Post-exploitation code execution in an nginx worker runs as the nginx service account. If that user cannot write to the nginx configuration directory or the document root, persistence through configuration modification or web shell deployment is blocked. File permission controls on nginx configuration directories provide an effective post-exploitation constraint that complements patching.

Kubernetes environments require separate attention. Helm-based nginx Ingress Controller deployments use a container image that bundles the nginx binary. Upgrading the host nginx package does not update nginx inside running containers. The ingress controller Helm chart must be upgraded to a version that ships with an nginx 1.30.1 or later base image. Check the current nginx version inside ingress controller pods with: kubectl exec -n ingress-nginx [pod-name] -- nginx -v.

The nginx rewrite module vulnerability CVE-2026-42945 is not a hypothetical risk. Nginx is the default web server for cloud-native frameworks, Kubernetes ingress, and the majority of modern reverse proxy architectures. A successful denial-of-service attack against a production nginx server drops all connections handled by the affected worker. For high-traffic environments, this is a customer-visible outage lasting seconds to minutes per exploitation attempt. A successful RCE attack places an attacker inside your application tier with code execution.

From that network position, an attacker with code execution on an nginx server can read all proxied traffic in cleartext before upstream TLS termination, access backend service credentials embedded in nginx configuration files or environment variables, enumerate internal IP routing and pivot to backend services reachable from the web tier, and extract TLS private keys if nginx terminates SSL directly. This post-exploitation path mirrors the lateral movement documented in the Palo Alto PAN-OS CVE-2026-0300 firewall compromise, where attackers used code execution on a perimeter device to enumerate Active Directory and harvest VPN credentials before pivoting deeper.

Organizations using nginx in shared-ingress deployments face an amplified blast radius. A single compromised nginx worker in a shared Kubernetes ingress controller can access traffic from all tenants routing through that ingress, not only the targeted application. Multi-tenant SaaS platforms, managed hosting providers, and Kubernetes clusters serving multiple applications from one ingress pod face cross-tenant data exposure risk.

The 18-year lifespan of this flaw in production code is a practical reminder that vulnerability age does not correlate with patchability or exploitability. Today is close-this-gap day: verify your nginx version, apply the patch, and close the exposure before Monday morning.