CVE-2026-42945 Scanner (Version Based)

NGINX is a high-performance, open-source web server, reverse proxy, and load balancer originally developed by Igor Sysoev and first publicly released in 2004. It is widely adopted by organizations of all sizes to serve static content, proxy requests to application backends, handle SSL/TLS termination, and manage high-concurrency traffic efficiently. NGINX is built on an asynchronous, event-driven architecture that enables it to serve thousands of simultaneous connections using minimal system resources. The commercial variant, NGINX Plus, extends the open-source offering with features such as advanced load balancing algorithms, session persistence, API gateway capabilities, active health checks, and enhanced monitoring dashboards. F5 Networks acquired NGINX Inc. in 2019 and continues to maintain and develop both the open-source and commercial product lines. NGINX powers a significant share of the world's most visited websites and serves as a critical infrastructure component in cloud-native, containerized, and enterprise environments globally.

CVE-2026-42945, publicly known as NGINX Rift, is a critical heap-based buffer overflow vulnerability affecting the ngx_http_rewrite_module in NGINX Open Source and NGINX Plus. The flaw was introduced in NGINX version 0.6.27 and remained undetected in the codebase for approximately 18 years, affecting every release through version 1.30.0. Exploitation requires a specific nginx configuration pattern: a rewrite directive that uses unnamed PCRE capture groups such as $1 or $2 with a replacement string containing a question mark, followed by another rewrite, if, or set directive in the same context. An unauthenticated remote attacker can trigger the vulnerability by sending a single crafted HTTP request to the server, with no prior authentication or active session required. The vulnerability was autonomously discovered by the depthfirst security research platform and responsibly disclosed to F5 on April 21, 2026. Fixed versions were released on May 13, 2026 in NGINX Open Source 1.30.1 and 1.31.0, as well as in NGINX Plus R36 P4 and R32 P6.

The root cause of the vulnerability resides in the file src/http/ngx_http_script.c within NGINX's internal script engine, which processes rewrite and set directives using a two-phase approach: a length calculation phase followed by a data copy phase. When a rewrite directive's replacement string contains a question mark, the function ngx_http_script_start_args_code permanently sets the is_args flag to 1 on the main script engine, and this flag is never cleared between subsequent directive evaluations. During the length calculation phase for a following set directive, NGINX creates a freshly zeroed sub-engine where is_args equals 0, causing the required buffer size to be computed based on the raw, unescaped byte length of the URI capture group. However, the actual copy phase operates on the main engine where is_args remains 1, triggering ngx_escape_uri with the NGX_ESCAPE_ARGS escaping mode, which expands characters such as plus signs, ampersands, and percent signs from one byte to three bytes each in percent-encoded form. This mismatch means the allocated heap buffer is undersized by exactly two bytes for every escapable character present in the attacker-controlled URI segment, resulting in a write operation that extends beyond the allocated buffer boundary. Because the overflowing bytes are derived directly from the attacker's URI input, the memory corruption is deterministic and shaped by the attacker rather than random, enabling reliable heap manipulation.

When exploited, an attacker can reliably crash NGINX worker processes by sending a single crafted HTTP request, causing a denial-of-service condition that disrupts all websites and services hosted on the affected instance. The NGINX master process automatically restarts crashed workers, but an attacker can send repeated requests to maintain a continuous crash loop, resulting in sustained service degradation or complete unavailability for all virtual hosts on the server. On systems where Address Space Layout Randomization is disabled, the controllable and deterministic nature of the heap overflow enables a skilled attacker to achieve remote code execution within the NGINX worker process, potentially gaining full control over the web-serving process. With code execution capability, an attacker could access sensitive data handled by the server, including session tokens, authentication credentials, proxied application traffic, and private keys stored in memory. The vulnerability is reachable from the public internet without any authentication, prior access, or existing session, making it particularly dangerous for internet-facing deployments with complex rewrite configurations such as PHP front controllers, WordPress permalink structures, or API gateway routing rules. Additionally, multiple F5 NGINX commercial products including NGINX Instance Manager, App Protect WAF, App Protect DoS, Gateway Fabric, and Ingress Controller are affected and currently have no in-branch fix available from the vendor.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2026-42945
• https://my.f5.com/manage/s/article/K000161019
• https://depthfirst.com/nginx-rift
• https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/