By rssfeeds-admin Dubbed “NGINX Rift,” CVE-2026-42945 was published on May 13, 2026, and carries a CVSS v4 score of 9.2 (Critical).
The vulnerability resides in the ngx_http_rewrite_module and affects NGINX Open Source and NGINX Plus versions 0.6.27 through 1.30.0, a range spanning nearly every release over the past 18 years.
Critical NGINX RCE Vulnerability
According to Patrick Garrity, the flaw was silently introduced into the NGINX codebase in 2008 and has remained undetected ever since. The root cause lies in inconsistent escaping logic inside the rewrite engine.
NGINX computes the destination buffer size under one set of assumptions and then copies data under another, allowing attacker-controlled URI bytes to overflow the heap within the worker process.
The vulnerability is only triggered when a rewrite another follows the directive rewrite, if, or set directive using unnamed PCRE capture groups (e.g., $1, $2) combined with a replacement string containing a question mark.
A public proof-of-concept (PoC) exploit appeared on GitHub on the same day the CVE was published, May 13.
By May 16, VulnCheck’s Canary Intelligence honeypot network detected active exploitation attempts in the wild, and VulnCheck subsequently issued a KEV alert the same day.
VulnCheck’s Initial Access team noted in its release: “An unauthenticated attacker can crash the NGINX worker process by sending crafted HTTP requests.” said Patrick Garrity.
The Censys query surfaced approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is estimated to be a considerably smaller subset.
Remote code execution (RCE) is possible, but only on systems where Address Space Layout Randomization (ASLR) is disabled, a configuration that, while uncommon, is not unheard of in legacy or misconfigured deployments.
Security researcher confirmed the conditional nature of the RCE: “To reach RCE, ASLR needs to have been disabled on the box.”
As a result, the more realistic and immediate threat for most exposed servers is a persistent Denial-of-Service (DoS) loop caused by repeated worker process crashes.
Researchers demonstrated the PoC required only standard Python sockets and a single crafted HTTP GET request, with a payload of 349 padding bytes followed by 2,000 URI-escapable characters, against a fully patched Ubuntu instance running NGINX 1.28.3.
For RCE, attackers leverage cross-request heap feng shui: first opening a partial connection to allocate a request pool, then opening a victim connection and corrupting its pool header via overflow.
F5 has released patched versions of NGINX 1.30.1 (stable branch) and 1.31.0 (mainline branch). Cloudflare issued an emergency WAF rule update on May 15 to detect heap buffer overflow and heap spray attempts targeting this flaw.
Organizations running NGINX with rewrite rules in their configuration should treat this as an emergency patch, given the active exploitation; the window to act is rapidly closing.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Exploit Critical NGINX RCE Vulnerability in the Wild appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.