NGINX CVE-2026-42945 ("NGINX Rift") — in-the-wild exploitation confirmed 2026-05-17; patch now mandatory

If you did nothing this week: VulnCheck honeypot network data confirms active exploitation of CVE-2026-42945 as of 2026-05-17. This was a known-but-unpatched vulnerability in NGINX Open Source through 1.30.0 and NGINX Plus through R34; the transition from disclosure to confirmed ITW occurred within two days. NGINX is the most-deployed reverse proxy and load balancer in Swiss federal and EU public-sector web stacks.

The heap buffer overflow in ngx_http_rewrite_module (present since NGINX 0.6.27, 2008) is triggered by crafted HTTP requests against a specific rewrite-directive configuration pattern using unnamed PCRE capture groups with ? characters followed by another rewrite, if, or set directive. Unauthenticated attackers can crash NGINX worker processes (confirmed DoS); RCE requires ASLR disabled, which occurs on embedded and edge configurations. AlmaLinux errata shipped 2026-05-13. F5 patched this in NGINX 1.28.0 (stable) / NGINX Plus R35. Detection: access logs showing malformed requests producing rapid 502/504 patterns or NGINX worker SIGABRT crashes. ASLR check: cat /proc/sys/kernel/randomize_va_space (0 = disabled = RCE-capable configurations).