Home · Live brief · Daily brief 2026-05-15
CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public
Entities: NCSC-CH
Part of run 2026-05-15-58b94fbd (intel · Claude Sonnet 4.6)
CVE-2026-42945 (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, CWE-122, codename "NGINX Rift") is a heap buffer overflow present in src/http/ngx_http_script.c since NGINX 0.6.27 (2008) (depthfirst "NGINX Rift" technical writeup, 2026-05-13 · NCSC-CH Security Hub #12575, 2026-05-15). The root cause: when a rewrite directive combines an unnamed PCRE capture ($1, $2) with a replacement string containing ?, followed by another rewrite, if, or set directive in the same scope, ngx_http_script_start_args_code() sets a flag causing the write phase to URI-encode URI argument characters — expanding +, %, and & by two bytes each — while the length-calculation phase computed a shorter buffer without this escaping. The result is a deterministic out-of-bounds write into the adjacent heap allocation. Reliable impact is crash of the NGINX worker process (DoS with automatic master restart); RCE requires ASLR to be disabled on the host. A working PoC is public at github.com/depthfirstdisclosures/nginx-rift. The vulnerability was discovered by the AI-driven security analysis system "depthfirst", responsibly disclosed to F5/NGINX on 2026-04-18, with RCE PoC shared to F5/NGINX under NDA on 2026-04-28, and patches released on 2026-05-13. Exploitation status: no in-the-wild confirmed; NCSC-CH rates "UNKNOWN, PoC Available." Temporary workaround: replace all unnamed captures with named captures (e.g., (?P<foo>...) → $foo) in rewrite directives — this eliminates the vulnerable code path without requiring upgrade. Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36; NGINX Ingress Controller 3.5.0–5.4.1; NGINX Gateway Fabric 1.3.0–2.5.1; NGINX Instance Manager, NGINX App Protect WAF/DoS, F5 WAF for NGINX. Fixed: NGINX Open Source 1.30.1/1.31.0; NGINX Plus R32 P6 / R36 P4.
Action items
- Audit NGINX configurations for the CVE-2026-42945 vulnerable pattern and either apply the workaround or upgrade. Grep all
nginx.confand included config files forrewritedirectives combining an unnamed PCRE capture ($1,$2) with a replacement containing?followed by anotherrewrite,if, orsetin the same scope. Replace unnamed captures with named captures ((?P<name>...)→$name) as an immediate workaround. Upgrade to NGINX Open Source 1.30.1 / 1.31.0 or NGINX Plus R32 P6 / R36 P4 to remediate. Check Kubernetes clusters for NGINX Ingress Controller version and apply the corresponding fixed chart. Prioritise internet-facing reverse proxies and API gateways.