Cybersecurity researchers have uncovered multiple security vulnerabilities affecting NGINX Plus and NGINX Open, including a critical flaw that went undetected for 18 years.
This vulnerability, discovered by DepthFirst, is a heap buffer overflow issue affecting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to execute remote code or cause a denial of service (DoS) via a crafted request. The code name is NGINX Rift.
“NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,” F5 said in an advisory published Wednesday. “This vulnerability exists when a rewrite directive is followed by a rewrite, if, or set directive followed by an unnamed Perl Compatible Regular Expression (PCRE) capture ($1, $2, etc.) with a substitution string that contains a question mark (?).”
“An unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request with uncontrollable conditions. This could cause a heap buffer overflow in the NGINX worker process, potentially leading to a restart. Additionally, it could lead to code execution on systems where Address Space Layout Randomization (ASLR) is disabled.”
This issue was resolved in the next version after responsible disclosure on April 21, 2026.
NGINX Plus R32 – R36 (fixes introduced in R32 P6 and R36 P4) NGINX Open Source 1.0.0 – 1.30.0 (fixes introduced in 1.30.1 and 1.31.0) NGINX Open Source 0.6.27 – 0.9.7 (no fixes planned) NGINX Instance Manager 2.16.0 – 2.21.1 F5 WAF for NGINX 5.9.0 – 5.12.1 NGINX App Protect WAF 4.9.0 – 4.16.0 NGINX App Protect WAF 5.1.0 – 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 – 4.7.0 NGINX Gateway Fabric 1.3.0 – 1.6.2 NGINX Gateway Fabric 2.0.0 – 2.5.1 NGINX Ingress Controller 3.5.0 – 3.7.2 NGINX Ingress Controller 4.0.0 – 4.0.1 NGINX Ingress Controller 5.0.0 – 5.4.1
DepthFirst said in its own advisory that the vulnerability could allow an unauthenticated, remote attacker to corrupt the heap of an NGINX worker process by sending a crafted URI. The severity of this vulnerability is that it is accessible without authentication and can be safely used to cause a heap overflow, potentially leading to remote code execution in the NGINX worker process.
“An attacker with access to a vulnerable NGINX server via HTTP could send a single request that overflows the heap of a worker process and potentially execute remote code,” Depthfirst said. “There are no authentication steps or prior access requirements, and no existing session is required.”
“The bytes written beyond the quota are derived from the attacker’s URI, so the corruption is not random but instead created by the attacker. Repeated requests can also be used to force the worker into a crash loop and reduce the availability of all sites served by the instance.”
Three other flaws have been patched in NGINX Plus and NGINX Open Source.
CVE-2026-42946 (CVSS v4 score: 8.3) – Excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules allows a remote unauthenticated attacker with adversarial man-in-the-middle (AitM) capabilities to control responses from an upstream server, allowing an NGINX worker to It may be possible to read the process’s memory or restart it. scgi_pass or uwsgi_pass is configured. CVE-2026-40701 (CVSS v4 Score: 6.3) – There is a use-after-free vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to ‘on’ or ‘optional’ and the ssl_ocsp If the directive is set, a remote unauthenticated attacker could gain limited control over modifying data or restarting the NGINX worker process. Turn “on”. CVE-2026-42934 (CVSS v4 Score: 6.3) – An out-of-bounds read vulnerability in the ngx_http_charset_module module allows a remote unauthenticated attacker to disclose memory contents or access the You may need to restart the process.
We recommend applying the latest version for optimal protection. If immediate patching for CVE-2026-42945 is not an option, we recommend that you modify your rewrite configuration by replacing unnamed captures with named captures in all affected rewrite directives.
Source link
