Critical NGINX “Rift” Vulnerability (CVE‑2026‑42945) Enables Remote Code Execution and DoS
What It Is — A newly disclosed memory‑corruption flaw in NGINX Open Source (0.6.27‑1.30.0) and NGINX Plus (vR32‑R36) that can be triggered by a crafted HTTP request. The bug resides in ngx_http_rewrite_module and allows an unauthenticated attacker to corrupt the heap, leading to deterministic remote code execution (RCE) or denial‑of‑service (DoS).
Exploitability — Public proof‑of‑concept released; exploitation observed in the wild within days of disclosure. CVSS v3.1 estimated at 9.8 (Critical).
Affected Products — NGINX Open Source, NGINX Plus, F5‑integrated solutions (NGINX Ingress Controller, F5 WAF for NGINX, etc.).
TPRM Impact — Any third‑party service that relies on NGINX for web serving, load‑balancing, or reverse‑proxying inherits the risk. A compromised upstream can be used to pivot into downstream SaaS applications, expose customer data, or cause widespread service outages.
Recommended Actions —
- Deploy F5/Nginx patches immediately (see advisory).
- Verify version inventory; flag any instance running ≤ 1.30.0 or affected Plus releases.
- Apply temporary mitigations: disable unsafe rewrite patterns, add WAF rules to block the malicious URI pattern, and enforce strict input validation.
- Monitor logs for repeated 4xx/5xx responses containing suspicious query strings; enable IDS/IPS signatures for CVE‑2026‑42945.
- Conduct a rapid risk assessment of any downstream services that depend on the affected NGINX instances.
Source: Help Net Security