Critical Heap Buffer Overflow in NGINX (CVE‑2026‑42945) Actively Exploited, Threatening Web Infrastructure
What It Is — A heap‑buffer overflow (named NGINX Rift) resides in the ngx_http_rewrite_module of both NGINX Plus and NGINX Open Source. The flaw is triggered by a specific rewrite‑directive pattern that can cause out‑of‑bounds writes, potentially leading to crashes or remote code execution.
Exploitability — Active exploitation has been observed on VulnCheck canaries within days of disclosure. A public PoC exists but requires ASLR to be disabled, making reliable RCE difficult in hardened environments. CVSS v4.0 = 9.2 (Critical).
Affected Products — NGINX Open Source (all mainstream releases) and NGINX Plus (commercial edition). The vulnerable component (ngx_http_rewrite_module) is compiled into virtually every default NGINX build, including reverse‑proxy, load‑balancer, and Kubernetes ingress controller deployments.
TPRM Impact —
- The vulnerability spans a core internet‑facing component used by SaaS providers, cloud platforms, and enterprise web applications, creating a broad supply‑chain exposure.
- Exploitation can cause service outages or data‑leak pathways that cascade to downstream customers, inflating third‑party risk scores.
Recommended Actions —
- Prioritize immediate patching of all NGINX instances to the latest release that addresses CVE‑2026‑42945.
- Conduct configuration reviews to identify rewrite directives that combine unnamed PCRE captures with a “?” replacement followed by another
rewrite,if, orset. - Deploy runtime mitigations: enable ASLR, enforce SELinux/AppArmor confinement, and consider WAF rules that block suspicious rewrite patterns.
- Verify that any third‑party services (e.g., F5 NGINX, CDN providers) have applied the fix; request proof of remediation from vendors.
- Update incident‑response playbooks to include detection signatures for the known PoC traffic.
Source: Security Affairs – Experts warn of active exploitation of critical NGINX flaw CVE‑2026‑42945