CVE-2026-42945: 18-Year-Old NGINX Rewrite Flaw May Enable Unauthenticated RCE

Web infrastructure bugs remain especially dangerous when they sit in widely deployed request-handling logic for years without detection. Among the latest vulnerabilities impacting NGINX Plus and NGINX Open, the CVE-2026-42945 vulnerability stands out as an 18-year-old heap buffer overflow in ngx_http_rewrite_module that can be reached by an unauthenticated attacker through crafted HTTP requests and may lead to denial of service or, in some cases, remote code execution. Public reporting cites a CVSS v4 score of 9.2 and refers to the issue as NGINX Rift.

From a defender’s perspective, the most important details for CVE-2026-42945 are the affected configuration pattern and patch path. Public CVE-2026-42945 analysis shows the flaw is exposed when a rewrite directive uses an unnamed PCRE capture such as $1 or $2, includes a replacement string with a question mark, and is followed by another rewrite, if, or set directive in the same scope.

CVE-2026-42945 analysis

At the technical level, the vulnerability in CVE-2026-42945 is caused by inconsistent escaping logic in the rewrite engine. Depthfirst explains that NGINX computes the destination buffer length under one set of assumptions and then copies data under another, so bytes derived from the attacker-controlled URI can run past the allocated heap buffer in the worker process.

In practical terms, the public CVE-2026-42945 payload is not a dropped binary or script, but a specially crafted HTTP request that reaches a vulnerable rewrite rule and triggers deterministic heap corruption. F5 says this can restart the worker process, while public reporting adds that code execution may also be possible, particularly on systems where ASLR is disabled.

The disclosure is notable because a technical write-up and root-cause explanation were released alongside the advisory, and depthfirst explicitly says its full analysis includes a CVE-2026-42945 poc and patch walkthrough. At the same time, the vendor and researcher materials state they were not aware of in-the-wild exploitation at disclosure.

Exposure is broad because CVE-2026-42945 affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. The nginx security advisories page also lists additional affected F5 and NGINX products built around the same codebase, while fixed open source releases are 1.30.1 and 1.31.0.

Explore Detections

CVE-2026-42945 Mitigation

The priority for CVE-2026-42945 mitigation is to upgrade to a fixed release. For NGINX Open Source, that means moving to 1.30.1 or 1.31.0. For NGINX Plus, the fixes were introduced in R32 P6 and R36 P4. Depthfirst also recommends restarting NGINX after the upgrade so worker processes reload the patched binary.

To Detect CVE-2026-42945 exposure, defenders should review NGINX configurations for rewrite directives that combine unnamed captures with a replacement string containing ?, followed by rewrite, if, or set in the same scope. This is the most practical starting point for CVE-2026-42945 detection, because the flaw depends on a specific and common configuration pattern rather than simply the presence of NGINX alone.

If immediate patching is not possible, F5 and depthfirst both advise replacing unnamed captures like $1 and $2 with named captures in every affected rewrite directive. There are no vendor-published CVE-2026-42945 iocs in the cited materials, so defenders should focus on version inventory, configuration review, unexpected worker restarts, and suspicious HTTP request patterns hitting vulnerable rewrite logic.