NGINX CVE-2026-42945 Rewrite Module Flaw Is Being Exploited

NGINX administrators should move CVE-2026-42945 from “patch soon” to “verify now.” The heap buffer overflow in ngx_http_rewrite_module, also called NGINX Rift, is now seeing exploitation attempts in VulnCheck honeypot networks, according to The Hacker News. The reported end goals are not yet clear, but public-facing NGINX servers are enough of a target to justify fast action.^[1]

The vulnerability affects NGINX Open Source and NGINX Plus when a specific rewrite configuration pattern is present. NVD and F5 describe the vulnerable condition as a rewrite directive followed by another rewrite, if, or set directive, using an unnamed PCRE capture such as $1 or $2, with a replacement string that includes a question mark. A crafted HTTP request can crash the NGINX worker process, and code execution is possible on systems where ASLR is disabled.^[2][3]

Who is affected and what to check first

The affected range is broad because the flaw dates back to older NGINX rewrite logic. F5 and public reporting list NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36 among affected releases, with fixes in NGINX Open Source 1.30.1 and 1.31.0 and NGINX Plus R32 P6 and R36 P4.^[3][4] Related F5 products that embed NGINX, including certain NGINX Ingress Controller, Gateway Fabric, Instance Manager, App Protect WAF, and DoS releases, also need review against the vendor matrix.

This is not a case where the CVSS score alone tells the whole story. Reliable RCE depends on configuration and memory-protection conditions, and AlmaLinux maintainers noted that turning the heap overflow into generic code execution is not trivial when ASLR is enabled by default. The same assessment still treats the bug as urgent because worker-process crashes are practical enough to create denial-of-service impact on exposed traffic paths.^[1][5]

For triage, start with internet-facing NGINX assets and hosts that terminate customer traffic. Run the actual binary version on the host rather than trusting a missing or stripped server banner. Then search NGINX configs for rewrite chains that use unnamed captures. Useful first-pass checks include nginx -V, package-manager version queries, and a review of rewrite, if, and set blocks in site configs, ingress templates, and generated gateway configuration.

If immediate patching is blocked, F5’s public guidance points to changing vulnerable rewrite logic by replacing unnamed captures with named captures in affected directives.^[4] Treat that as a temporary reduction of risk, not closure. Restart or reload NGINX only after validating configuration syntax, and watch error logs for worker crashes, unusual request bursts against rewritten paths, and repeated probes against legacy redirect rules.

Howtofix.guide has seen the same operational pattern in other edge-service incidents: the public entry point becomes the first practical target. The older NGINX vulnerability coverage is useful background, and recent alerts on Cisco SD-WAN exploitation and cPanel/WHM exploitation show why internet-facing control planes and web gateways should be patched on a tighter clock than internal application bugs.

The safest short response is direct: patch supported NGINX builds, check whether rewrite rules match the vulnerable pattern, keep ASLR enabled, and monitor for worker restarts or suspicious crafted requests. If a server is unsupported, remove internet exposure or replace it; “old but stable” is not a valid mitigation for a public edge service with active probing.

References

1. The Hacker News. NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE. Published May 17, 2026.
2. NVD. CVE-2026-42945 Detail. Published May 13, 2026.
3. F5. K000161019: NGINX ngx_http_rewrite_module Heap Buffer Overflow. Published May 13, 2026.
4. The Hacker News. 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE. Published May 14, 2026.
5. AlmaLinux. NGINX Rift (CVE-2026-42945): Patched nginx available in testing. Published May 13, 2026.