NGINX Rift — 18-year-old heap buffer overflow in ngx_http_rewrite_module (CVSS 9.2, PoC public)

UPDATE (originally covered 2026-W21 weekly): VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17, promoting the 18-year-old ngx_http_rewrite_module heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited. The flaw is reachable by an unauthenticated remote attacker via a single crafted HTTP request to any NGINX instance running a rewrite-rule configuration that uses unnamed PCRE captures ($1, $2); successful exploitation crashes the worker process (DoS reliable on ASLR-enabled hosts) and reaches RCE on hosts where ASLR is disabled.

Affected per F5 PSIRT advisory K000161019: NGINX Open Source 0.6.27 through 1.30.0 (every release since 2008) and NGINX Plus R32 through R36, plus F5 NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, F5 WAF for NGINX, and NGINX App Protect DoS. Patches: NGINX Open Source 1.30.1 / 1.31.0; NGINX Plus R32 P6, R36 P4. Interim mitigation if immediate upgrade is not possible: convert unnamed PCRE captures in all rewrite directives to named captures ((?P<name>...) syntax). Detection-engineering anchors that follow from the flaw class (heap-overflow worker crash under specific rewrite-rule configurations) are NGINX worker-process crash events (SIGSEGV / SIGABRT and immediate respawn) in syslog / journald, correlated with inbound HTTP requests carrying unusually long or deeply-nested rewrite-rule input strings from the same source; defenders should validate these against their own rewrite-rule configuration before depending on them.

CVE-2026-42945 (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, CWE-122, codename "NGINX Rift") is a heap buffer overflow present in src/http/ngx_http_script.c since NGINX 0.6.27 (2008) (depthfirst "NGINX Rift" technical writeup, 2026-05-13 · NCSC-CH Security Hub #12575, 2026-05-15). The root cause: when a rewrite directive combines an unnamed PCRE capture ($1, $2) with a replacement string containing ?, followed by another rewrite, if, or set directive in the same scope, ngx_http_script_start_args_code() sets a flag causing the write phase to URI-encode URI argument characters — expanding +, %, and & by two bytes each — while the length-calculation phase computed a shorter buffer without this escaping. The result is a deterministic out-of-bounds write into the adjacent heap allocation. Reliable impact is crash of the NGINX worker process (DoS with automatic master restart); RCE requires ASLR to be disabled on the host. A working PoC is public at github.com/depthfirstdisclosures/nginx-rift. The vulnerability was discovered by the AI-driven security analysis system "depthfirst", responsibly disclosed to F5/NGINX on 2026-04-18, with RCE PoC shared to F5/NGINX under NDA on 2026-04-28, and patches released on 2026-05-13. Exploitation status: no in-the-wild confirmed; NCSC-CH rates "UNKNOWN, PoC Available." Temporary workaround: replace all unnamed captures with named captures (e.g., (?P<foo>...) → $foo) in rewrite directives — this eliminates the vulnerable code path without requiring upgrade. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller 3.5.0–5.4.1; NGINX Gateway Fabric 1.3.0–2.5.1; NGINX Instance Manager, NGINX App Protect WAF/DoS, F5 WAF for NGINX. Fixed: NGINX Open Source 1.30.1/1.31.0; NGINX Plus R32 P6 / R36 P4.