NGINX has shipped fixes for a heap buffer overflow in its ngx_http_rewrite_module that has lived in the codebase since the 0.6.x era — a span of roughly 18 years — and which can be reached over the network without authentication. The flaw, tracked as CVE-2026-42945 and named “NGINX Rift” by the researchers at depthfirst who disclosed it, carries a CVSS v4 score of 9.2 and was responsibly reported on April 21, 2026.
The trigger condition is mundane configuration
The bug is reached when a rewrite directive precedes a rewrite, if, or set directive that uses unnamed PCRE captures containing a question-mark metacharacter. That is not an exotic pattern — it appears in canonical examples of redirect rules and parameter rewrites used across the public internet. depthfirst writes that “an attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap,” and F5 confirms in its advisory that “an unauthenticated attacker… can exploit this vulnerability by sending crafted HTTP requests.” On hosts where address-space layout randomization is disabled, the consequence is unauthenticated remote code execution; on hosts with ASLR enabled, the most common outcome is a worker-process crash, which becomes a denial-of-service primitive when an attacker can replay the request at scale.
The patch matrix is unusually wide
Because the rewrite module ships in every NGINX distribution, the affected-versions list reads like an inventory of F5’s web tier. NGINX Open Source versions 1.0.0 through 1.30.0 are vulnerable; fixes are in 1.30.1 and 1.31.0. NGINX Plus is patched at R32 P6 and R36 P4. The legacy 0.6.27 through 0.9.7 series receives no fix at all — operators running those builds need to migrate, not patch. The same advisory also resolves three additional issues that landed in the same release window: CVE-2026-42946 (CVSS 8.3) in SCGI/UWSGI memory allocation, CVE-2026-40701 (CVSS 6.3), a use-after-free in the SSL module, and CVE-2026-42934 (CVSS 6.3), an out-of-bounds read in the charset module. Downstream products — NGINX Gateway Fabric, Ingress Controller, App Protect WAF, and Instance Manager — each have their own remediation versions listed in F5’s bulletin.
Why an 18-year-old flaw stayed quiet
The interesting question is less “how was it found” and more “why now.” Rewrite rules are evaluated on a code path that nearly every public-facing NGINX install touches, and the offending construct is reachable without authentication. The likely answer is the same one we have seen behind several 2025-2026 disclosures: automated source review at frontier-model scale is finding bug classes in mature C code that decades of human eyes did not. The Hacker News notes that depthfirst’s disclosure path was the conventional one, but the audit budget required to find a heap overflow buried inside a PCRE capture handler has changed.
What this means
For practitioners, the immediate work is the inventory. NGINX sits in front of an outsized share of corporate web tiers, and unattended forks inside container images, ingress controllers, and ISO-baked appliances will lag the upstream advisory by days to weeks. Anyone running ASLR-disabled NGINX — embedded appliances and minimal container bases are the usual culprits — should treat this as an RCE patch, not a DoS patch. And anyone exposing rewrite rules through a customer-controllable input (CDN edge configs, multi-tenant ingress) should audit those configurations for the question-mark-in-capture pattern while the patches roll.
