[SECURITY-L] NGINX Rift: Achieving NGINX Remote Code Execution via an 18-Year-Old Vulnerability

CSIRT Unicamp security em unicamp.br
Quinta Maio 14 09:00:54 -03 2026 

Fonte:
https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

Cybersecurity researchers have disclosed multiple security vulnerabilities
impacting NGINX Plus and NGINX Open, including a critical flaw that
remained undetected for 18 years.

The vulnerability, discovered <https://depthfirst.com/nginx-rift> by
depthfirst <https://depthfirst.com/>, is a heap buffer overflow issue
impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that
could allow an attacker to achieve remote code execution or cause a
denial-of-service (DoS) with crafted requests. It has been codenamed *NGINX
Rift*.

"NGINX Plus and NGINX Open Source have a vulnerability in the
ngx_http_rewrite_module module," F5 said
<https://my.f5.com/manage/s/article/K000161019> in an advisory released
Wednesday. "This vulnerability exists when the rewrite directive is
followed by a rewrite, if, or set directive and an unnamed Perl-Compatible
Regular Expression (PCRE) capture (for example, $1, $2) with a replacement
string that includes a question mark (?)."

"An unauthenticated attacker, along with conditions beyond its control, can
exploit this vulnerability by sending crafted HTTP requests. This may cause
a heap buffer overflow in the NGINX worker process, leading to a restart.
Additionally, for systems with Address Space Layout Randomization (ASLR )
disabled, code execution is possible."

The issue has been addressed in the following versions after responsible
disclosure on April 21, 2026 -

   - NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4)
   - NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and
   1.31.0)
   - NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned)
   - NGINX Instance Manager 2.16.0 - 2.21.1
   - F5 WAF for NGINX 5.9.0 - 5.12.1
   - NGINX App Protect WAF 4.9.0 - 4.16.0
   - NGINX App Protect WAF 5.1.0 - 5.8.0
   - F5 DoS for NGINX 4.8.0
   - NGINX App Protect DoS 4.3.0 - 4.7.0
   - NGINX Gateway Fabric 1.3.0 - 1.6.2
   - NGINX Gateway Fabric 2.0.0 - 2.5.1
   - NGINX Ingress Controller 3.5.0 - 3.7.2
   - NGINX Ingress Controller 4.0.0 - 4.0.1
   - NGINX Ingress Controller 5.0.0 - 5.4.1

In its own advisory, depthfirst said the vulnerability could allow a
remote, unauthenticated attacker to corrupt the heap of an NGINX worker
process by sending a crafted URI. What makes the vulnerability severe is
that it's reachable without authentication, can be reliably used to trigger
the heap overflow, and can lead to remote code execution in the NGINX
worker process.

"An attacker who can reach a vulnerable NGINX server over HTTP can send a
single request that overflows the heap in the worker process and achieves
remote code execution," depthfirst said. "There is no authentication step,
no prior access requirement, and no need for an existing session."

"The bytes written past the allocation are derived from the attacker’s URI,
so the corruption is shaped by the attacker rather than random. Repeated
requests can also be used to keep workers in a crash loop and degrade
availability for every site served by the instance."

Also patched in NGINX Plus and NGINX Open Source are three other flaws -

   - *CVE-2026-42946 <https://my.f5.com/manage/s/article/K000161027>* (CVSS
   v4 score: 8.3) - An excessive memory allocation vulnerability in the
   ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a
   remote, unauthenticated attacker with adversary-in-the-middle (AitM)
   capabilities to control responses from an upstream server to read the
   memory of the NGINX worker process or restart it when scgi_pass or
   uwsgi_pass is configured.
   - *CVE-2026-40701 <https://my.f5.com/manage/s/article/K000161021>* (CVSS
   v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module
   module that could allow a remote, unauthenticated attacker to have limited
   control of modification of data or restart the NGINX worker process when
   the ssl_verify_client directive is set to "on" or "optional," and the
   ssl_ocsp directive is set to "on."
   - *CVE-2026-42934 <https://my.f5.com/manage/s/article/K000161028>* (CVSS
   v4 score: 6.3) - An out-of-bounds read vulnerability in the
   ngx_http_charset_module module that could allow a remote, unauthenticated
   attacker to disclose memory contents or restart the NGINX worker process
   when charset, source_charset, and charset_map, and proxy_pass with disabled
   buffering ("off") directives are configured.

Users are advised to apply the latest versions for optimal protection. If
immediate patching is not an option for CVE-2026-42945, users are advised
to change the rewrite configuration by replacing unnamed captures with
named captures in every affected rewrite directive.





Computer Security Incident Response Team - CSIRT
Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC
Universidade Estadual de Campinas - Unicamp
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://listas.unicamp.br/pipermail/security-l/attachments/20260514/e8f4dd54/attachment-0001.htm>

Mais detalhes sobre a lista de discussão SECURITY-L