Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years.
The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift.
“NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,” F5 said in an advisory released Wednesday. “This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?).”
“An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.”
The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 –
- NGINX Plus R32 – R36 (Fixes introduced in R32 P6 and R36 P4)
- NGINX Open Source 1.0.0 – 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0)
- NGINX Open Source 0.6.27 – 0.9.7 (No fixes planned)
- NGINX Instance Manager 2.16.0 – 2.21.1
- F5 WAF for NGINX 5.9.0 – 5.12.1
- NGINX App Protect WAF 4.9.0 – 4.16.0
- NGINX App Protect WAF 5.1.0 – 5.8.0
- F5 DoS for NGINX 4.8.0
- NGINX App Protect DoS 4.3.0 – 4.7.0
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Gateway Fabric 2.0.0 – 2.5.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 5.0.0 – 5.4.1
In its own advisory, depthfirst said the vulnerability could allow a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a crafted URI. What makes the vulnerability severe is that it’s reachable without authentication, can be reliably used to trigger the heap overflow, and can lead to remote code execution in the NGINX worker process.
“An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution,” depthfirst said. “There is no authentication step, no prior access requirement, and no need for an existing session.”
“The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random. Repeated requests can also be used to keep workers in a crash loop and degrade availability for every site served by the instance.”
Also patched in NGINX Plus and NGINX Open Source are three other flaws –
- CVE-2026-42946 (CVSS v4…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
