"Tracked as CVE-2026-42945 (CVSS score of 9.2) and dubbed Nginx Rift, the flaw is described as a heap buffer overflow in the ngx_http_rewrite_module component. It lurked in the NGINX code for 16 years. Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks."
"The security defect exists because the script engine relies on a two-pass process to calculate the buffer size and copy data to it, and because the internal engine state changes between these passes. In certain conditions, an unpropagated flag results in attacker-supplied data being written past the heap boundary. On default deployments, successful exploitation of the CVE would trigger a server restart, causing a denial-of-service (DoS) condition."
"As VulnCheck points out, the bug can be exploited remotely, without authentication, via crafted HTTP requests, but requires a specific rewrite configuration. While crashing the NGINX worker process is fairly trivial with a single crafted request, achieving RCE is more difficult, as most deployments have ASLR enabled by default. "Our Censys query surfaces roughly 5.7M internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is likely to be a much smaller subset of those," VulnCheck says."
CVE-2026-42945, tracked as Nginx Rift with a CVSS score of 9.2, is a heap buffer overflow in the ngx_http_rewrite_module component. The flaw existed in NGINX code for 16 years and is triggered by a two-pass script engine process that calculates buffer size and then copies data, while internal engine state changes between passes. Under certain conditions, an unpropagated flag causes attacker-controlled data to be written past the heap boundary. Default deployments typically restart the server after successful exploitation, resulting in denial-of-service. If ASLR is disabled, exploitation can progress to remote code execution. The vulnerability is remotely exploitable without authentication via crafted HTTP requests, but requires a specific rewrite configuration.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]