CVE-2026-42945: 18-Year-Old NGINX Rewrite Module Flaw Puts a Third of the Web at Risk
A heap buffer overflow in NGINX's ngx_http_rewrite_module — undetected for 18 years — was publicly disclosed yesterday. It carries a CVSS v4 score of 9.2 and affects effectively every NGINX version from 2008 to 2026. The researchers who found it gave it a codename: NGINX Rift.
NGINX powers roughly 33% of the web — including most WordPress hosting, Cloudflare's edge, every major SaaS reverse proxy, and a long tail of self-hosted infrastructure. If you run anything more complex than a static HTML page, NGINX is almost certainly somewhere in your stack.
Here's what the bug actually does, who's exposed, and what to do tonight.
The bug, in three sentences
NGINX's rewrite module mishandles a specific URL pattern: when a rewrite directive uses an unnamed Perl-Compatible Regular Expression capture (the $1, $2 style) AND the replacement string contains a question mark, the module miscalculates buffer size during URI processing.
An attacker sends a crafted HTTP request matching that pattern. NGINX writes attacker-controlled bytes past the allocated buffer into adjacent heap memory.
On systems with Address Space Layout Randomization (ASLR) enabled — most modern Linux servers — the result is typically a worker process crash and DoS. On systems with ASLR disabled (some embedded systems, older hardened configurations, certain container runtimes) the overflow is enough to achieve remote code execution.
Who's affected
| NGINX line | Vulnerable | Patched in |
|---|---|---|
| NGINX Plus | R32 – R36 | R32 P6 / R36 P4 |
| NGINX Open Source | 1.0.0 – 1.30.0 | 1.30.1 / 1.31.0 |
| NGINX Open Source | 0.6.27 – 0.9.7 | No patches planned — upgrade required |
| Derivatives | OpenResty, Tengine, others (carrying the affected module) | Check each vendor's advisory |
The bug has shipped in every mainline NGINX release since 1.0.0 in 2011. The reach is enormous: anything from a single VPS running NGINX to a corporate load balancer cluster to a content delivery network is in scope.
The exploit trigger — and what it tells you about risk
For your specific NGINX instance to be exploitable, three conditions must all hold:
- You're running an affected version (extremely likely if you haven't patched in the last 24 hours)
- Your
nginx.confcontains arewritedirective followed by anotherrewrite,if, orsetdirective - That directive uses an unnamed PCRE capture (
$1,$2, etc.) with a replacement string containing a literal?
Many configurations don't match all three. Many do — particularly any site doing URL rewriting for SEO-friendly URLs, multi-language redirects, or query-string manipulation. WordPress sites using the common try_files + rewrite pattern are usually fine; ones using complex SEO rewrite chains aren't.
Check your config:
grep -rE 'rewrite\s+.*\$[0-9].*\?' /etc/nginx/
Any match is a candidate trigger. Treat your server as exploitable until patched.
Why the "no active exploitation yet" note is misleading
Public disclosure changed the threat model the moment it landed. Before May 18, only the researchers at depthfirst (who disclosed responsibly on April 21) and the NGINX maintainers knew about the bug. After May 18, every offensive security team on the planet has a research target.
For a heap overflow with a published trigger pattern, the gap between "disclosed" and "weaponised exploit in the wild" is typically 7–14 days. By the time the first detections fire, hundreds of thousands of servers have been probed. Patching after exploitation appears in the news means you've already lost the race.
Treat this CVE the same way you'd treat CVE-2026-41940 (cPanel) or CVE-2026-0740 (Ninja Forms): the disclosure date is when the window opened, not when it closed.
What to do tonight
1. Identify your NGINX version
nginx -v
If you're running anything 1.0.0 through 1.30.0 (Open Source) or R32 through R36 (Plus), you're vulnerable.
2. Patch
Most hosting providers handle this automatically via system packages within 24-48 hours of disclosure. If you self-manage:
# Debian/Ubuntu
sudo apt update && sudo apt install --only-upgrade nginx
# RHEL/CentOS/Rocky
sudo dnf upgrade nginx
# Verify
nginx -v
Patched versions are 1.30.1 (current stable) or 1.31.0 (mainline). NGINX Plus customers should upgrade to R32 P6 or R36 P4.
3. Reload, don't restart
sudo nginx -t && sudo systemctl reload nginx
Zero-downtime reload — active connections drain cleanly to old workers while new workers start with the patched binary.
4. Workaround if patching is delayed
If you can't patch immediately (vendor lock, change-control window), the temporary fix is to replace unnamed PCRE captures with named captures in your rewrite directives:
# Vulnerable
rewrite ^/old/(.*)\.html$ /new/$1?legacy=1 last;
# Workaround — named capture
rewrite ^/old/(?<slug>.*)\.html$ /new/$slug?legacy=1 last;
This bypasses the exact code path the overflow lives in. Apply only as a stopgap; patch as soon as your maintenance window allows.
Where Obsyde Aegis fits
The NGINX vulnerability lives at the reverse-proxy layer, below where Aegis runs. We can't patch NGINX for you — that's a system-level update. What Aegis does well in this context is detect post-exploitation activity: web shells written to WordPress upload directories, credential exfiltration patterns, lateral movement from a compromised reverse proxy into the WordPress application layer.
If an attacker uses CVE-2026-42945 to compromise your NGINX worker, their next move is almost always: drop a web shell into the document root, then start exfiltrating data through normal HTTPS. Aegis pattern-matches those follow-on requests. The earlier you see them, the smaller the breach.
Patching NGINX prevents step one. Aegis catches steps two through ten. Layered defence, not either/or.
The 10-minute checklist
nginx -vto identify your version- If vulnerable, run the package upgrade for your distro
nginx -tto validate the new config, thensystemctl reload nginxgrep -rE 'rewrite\s+.*\$[0-9].*\?' /etc/nginx/to find configs matching the trigger pattern (even after patching, these are worth refactoring)- Review your error logs for unusual NGINX worker crashes in the last 30 days — they may indicate exploit attempts predating disclosure
- Check your hosting provider's advisory page if you're on managed hosting; most major providers patched within 24 hours
- If you're on shared hosting, contact your provider for confirmation
Conclusion
An 18-year-old bug in software running a third of the internet is the kind of finding that quietly resets baseline assumptions. The patches exist. The exploit trigger is public. The next 24-72 hours decide who patches before the first weaponised exploits arrive and who reads about themselves in next week's incident reports.
If your stack touches NGINX anywhere, treat this as urgent. The number of servers that will get compromised over the next fortnight is unlikely to be small.
References
Related Insights
CVE-2026-4020: Gravity SMTP Bug Leaks Live API Keys to Anyone — 17 Million Attacks and Counting
A critical information-disclosure flaw in the Gravity SMTP plugin lets unauthenticated attackers read your live API keys and OAuth tokens for Amazon SES, Gmail, Mailjet, Resend and Zoho. Over 17 million exploit attempts blocked since May. The fix is in 2.1.5 — but you also need to rotate every credential. Here's how it works, what's exposed, and exactly how to respond.
10 min read
CVE-2026-8713: Avada Builder Flaw Lets Anyone Delete Your WordPress Files (1 Million Sites at Risk)
A critical CVSS 9.1 vulnerability in the Avada Builder WordPress plugin lets unauthenticated attackers delete arbitrary files — including wp-config.php — leading to full site takeover. Roughly one million sites were exposed before the patch in version 3.15.4. Here's how it works, who's affected, exactly how to fix it, and how to check whether your site has already been hit.
10 min read
WordPress Security in 2026: The CVEs Putting Sites at Risk — and the Managed Protection That Stops Them
The WordPress CVEs hitting sites in 2026 — Ninja Forms, cPanel and NGINX — and why handing your site to a managed security company beats chasing every vulnerability yourself.
7 min read