Home · Live brief · Daily brief 2026-05-18
CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots
Part of run 2026-05-18-2eabc1cf (intel · Claude Opus 4.7)
UPDATE (originally covered 2026-W21 weekly): VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17, promoting the 18-year-old ngx_http_rewrite_module heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited. The flaw is reachable by an unauthenticated remote attacker via a single crafted HTTP request to any NGINX instance running a rewrite-rule configuration that uses unnamed PCRE captures ($1, $2); successful exploitation crashes the worker process (DoS reliable on ASLR-enabled hosts) and reaches RCE on hosts where ASLR is disabled.
Affected per F5 PSIRT advisory K000161019: NGINX Open Source 0.6.27 through 1.30.0 (every release since 2008) and NGINX Plus R32 through R36, plus F5 NGINX Instance Manager, NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, F5 WAF for NGINX, and NGINX App Protect DoS. Patches: NGINX Open Source 1.30.1 / 1.31.0; NGINX Plus R32 P6, R36 P4. Interim mitigation if immediate upgrade is not possible: convert unnamed PCRE captures in all rewrite directives to named captures ((?P<name>...) syntax). Detection-engineering anchors that follow from the flaw class (heap-overflow worker crash under specific rewrite-rule configurations) are NGINX worker-process crash events (SIGSEGV / SIGABRT and immediate respawn) in syslog / journald, correlated with inbound HTTP requests carrying unusually long or deeply-nested rewrite-rule input strings from the same source; defenders should validate these against their own rewrite-rule configuration before depending on them.
“UPDATE (originally covered 2026-W21 weekly): VulnCheck honeypot telemetry confirmed active exploitation of CVE-2026-42945 on 2026-05-17, promoting the 18-year-old ngx_http_rewrite_module heap buffer overflow from PoC-public status (where it sat last week) to actively-exploited.” — ctipilot v2 brief (migrated)
Action items
- Patch NGINX 1.30.0 → 1.30.1 / 1.31.0 (open source) or NGINX Plus → R32 P6 / R36 P4 immediately on any internet-exposed instance. VulnCheck honeypot telemetry confirmed in-the-wild exploitation of CVE-2026-42945 ("NGINX Rift") on 2026-05-17. Where same-day upgrade is not feasible, audit
nginx.confand included*.confrewrite rules for unnamed PCRE captures ($1,$2) and convert to named captures as an interim mitigation per the F5 advisory.