NGINX Rift — 18-year-old heap buffer overflow in ngx_http_rewrite_module (CVSS 9.2, PoC public)

CVE-2026-42945 (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, CWE-122, codename "NGINX Rift") is a heap buffer overflow present in src/http/ngx_http_script.c since NGINX 0.6.27 (2008) (depthfirst "NGINX Rift" technical writeup, 2026-05-13 · NCSC-CH Security Hub #12575, 2026-05-15). The root cause: when a rewrite directive combines an unnamed PCRE capture ($1, $2) with a replacement string containing ?, followed by another rewrite, if, or set directive in the same scope, ngx_http_script_start_args_code() sets a flag causing the write phase to URI-encode URI argument characters — expanding +, %, and & by two bytes each — while the length-calculation phase computed a shorter buffer without this escaping. The result is a deterministic out-of-bounds write into the adjacent heap allocation. Reliable impact is crash of the NGINX worker process (DoS with automatic master restart); RCE requires ASLR to be disabled on the host. A working PoC is public at github.com/depthfirstdisclosures/nginx-rift. The vulnerability was discovered by the AI-driven security analysis system "depthfirst", responsibly disclosed to F5/NGINX on 2026-04-18, with RCE PoC shared to F5/NGINX under NDA on 2026-04-28, and patches released on 2026-05-13. Exploitation status: no in-the-wild confirmed; NCSC-CH rates "UNKNOWN, PoC Available." Temporary workaround: replace all unnamed captures with named captures (e.g., (?P<foo>...) → $foo) in rewrite directives — this eliminates the vulnerable code path without requiring upgrade. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller 3.5.0–5.4.1; NGINX Gateway Fabric 1.3.0–2.5.1; NGINX Instance Manager, NGINX App Protect WAF/DoS, F5 WAF for NGINX. Fixed: NGINX Open Source 1.30.1/1.31.0; NGINX Plus R32 P6 / R36 P4.