NGINX Rift — The 16-Year-Old Vulnerability That’s Being Exploited Right Now | Stack of Truths

NGINX Rift — The 16-Year-Old Vulnerability That’s Being Exploited Right Now

May 20, 2026 — 8 min read — Pedro Jose

A heap buffer overflow in NGINX’s rewrite module. CVSS 9.2. Present in every version from 0.6.27 (2008) through 1.30.0. Patched on May 13, 2026. Exploitation confirmed in the wild by May 17, 2026 [citation:3].

Five days. That’s how long it took for attackers to weaponize a vulnerability that sat dormant for sixteen years. If you haven’t patched yet, you’re already behind.

⚡ THE HARD TRUTH

CVE-2026-42945, dubbed “NGINX Rift”, was discovered by an AI scanner in April 2026 [citation:5]. The patch dropped May 13. Public PoC followed within days. Active scanning began immediately. F5 confirmed exploitation on May 17 [citation:3].

Your window to patch closed last week.

The Vulnerability Breakdown

Field	Value
CVE ID	CVE-2026-42945
Name	NGINX Rift
CVSS v4.0 Score	9.2 (Critical)
Component	ngx_http_rewrite_module
Vulnerable Versions	NGINX Open Source 0.6.27 – 1.30.0 (16+ years)
Fixed Versions	NGINX Open Source 1.30.1, 1.31.0+
Attack Vector	Network (unauthenticated)
Impact	DoS (worker crash) or RCE (if ASLR disabled)

The root cause is a two‑pass contract violation in NGINX’s script engine [citation:8]:

Length pass calculates buffer size with is_args=0 (raw bytes)
Copy pass runs with is_args=1 (URI‑escaped, expanding every +, %, & to 3 bytes)

// What the heap overflow looks like:
// Length pass measures:   raw_len bytes
// Copy pass writes:       raw_len + 2*N bytes (where N = number of escapable chars)
//                         ^^^^^^^^^^^^^^^^^^^ heap overflow

The Exploit Conditions

Your NGINX configuration must contain a specific pattern to be exploitable [citation:1][citation:10]:

A rewrite directive using an unnamed PCRE capture ($1, $2, …)
The replacement string contains a question mark (?)
Another rewrite, if, or set directive referencing that capture in the same block

# VULNERABLE PATTERN (these are everywhere)
rewrite ^/(.*)$ /index.php?q=$1;
set $original $1;

rewrite ^/old/(.*)$ /new/$1? permanent;
set $id $1;

rewrite ^/api/(.*)$ /internal?migrated=true;
set $endpoint $1;

            ⚠️ WordPress and API Gateways Are Prime Targets

            The vulnerable rewrite pattern is the standard configuration for PHP front controllers, including WordPress. Millions of sites running the default WP permalink configuration are sitting ducks [citation:10]. API gateways, load balancers, and Kubernetes ingress controllers are equally exposed [citation:4][citation:8].

Impact — DoS vs RCE

On systems with ASLR enabled (default on all modern OSes), the vulnerability causes a worker process crash [citation:5]. NGINX restarts the worker, but repeated exploitation creates a self‑sustaining DoS loop.

On systems with ASLR disabled (still found in some hardened containers and legacy environments), the attacker can achieve full remote code execution [citation:6][citation:8]. The published PoC demonstrates unauthenticated RCE when ASLR is off.

Kubernetes Ingress NGINX is a special case. The project retired in March 2026. No upstream patches will ever be released for v1.15.1 [citation:8]. If you’re running Ingress NGINX, your options are a commercial extended support replacement or migrating to Gateway API. Now.

🧠 THE SCARY PART

VulnCheck identified approximately 5.7 million internet‑exposed NGINX servers running potentially vulnerable versions [citation:3]. The truly exploitable population is smaller because it requires the specific rewrite pattern, but:

→ WordPress alone has that pattern baked into its recommended config
→ Every API gateway using rewrite rules for versioning is at risk
→ Kubernetes ingress controllers bundle vulnerable NGINX binaries

Attackers don’t need to find the vulnerable configuration. They just need to try the request and see if the worker crashes.

What You Need To Do Right Now

1. Patch Immediately — No Excuses

# Upgrade NGINX Open Source
# Ubuntu/Debian
sudo apt update
sudo apt upgrade nginx

# RHEL/CentOS
sudo yum update nginx

# Verify version (must be 1.30.1 or higher)
nginx -v

# Restart workers (reload is NOT enough)
sudo systemctl restart nginx

Fixed versions [citation:1][citation:5]:

NGINX Open Source → 1.30.1 (stable) or 1.31.0+ (mainline)
NGINX Plus → R32 P6, R35 P2, or R36 P4+

2. Scan Your Configuration for Vulnerable Patterns

# Dump full config
sudo nginx -T 2>&1 | grep -E ‘\$[0-9].*\?.*\n.*(rewrite|if|set)’

# Or use the dedicated scanner (run offline, no exploit code)
git clone https://github.com/tal7aouy/nginx-cve-2026-42945
sudo python3 nginx-cve-2026-42945/scan_nginx_rift.py –local

3. If You Can’t Patch Immediately — Mitigation

Replace unnamed captures ($1, $2) with named captures in every affected rewrite rule [citation:6]:

# BEFORE (vulnerable)
rewrite ^/(.*)$ /index.php?q=$1;
set $original $1;

# AFTER (safe)
rewrite ^/(?.*)$ /index.php?q=$path;
set $original $path;

WARNING: This is a stopgap, not a fix. The patch is the only complete solution [citation:9].

4. Verify ASLR Is Enabled

# Should return “2” (full ASLR)
cat /proc/sys/kernel/randomize_va_space

5. Check Kubernetes Ingress Controllers

The community Ingress NGINX project will never release a patch [citation:8].

# Check your ingress controller version
kubectl get pods -A | grep ingress-nginx
kubectl describe pod  -n  | grep Image

# If you’re on v1.15.1 or earlier, you have three options:
# 1. Migrate to Gateway API (long‑term)
# 2. Switch to F5’s commercial ingress controller
# 3. Purchase extended support (HeroDevs NES, etc.)

            📌 THE TIMELINE

            May 13 – Patch released, PoC published

            May 14 – CSIRT Panamá issues urgent warning [citation:1]

            May 15 – Imperva confirms WAF rules deployed [citation:9]

            May 17 – Active exploitation confirmed in the wild [citation:3]

            May 20 – Today. You are reading this. What have you done?

The Bottom Line

A 16‑year‑old vulnerability, discovered by an AI, patched five days ago, and already being exploited. NGINX powers 32.4% of the world’s websites [citation:9]. WordPress ships with the vulnerable configuration pattern. Kubernetes ingress controllers are frozen with no upstream fixes.

Your NGINX configuration is older than most of your junior engineers. Attackers don’t care about your upgrade cycle. They care about the 5.7 million servers waiting to be scanned.

Patch now. Scan your configs. Verify ASLR. And if you’re on Ingress NGINX, understand that you’re running unsupported software with a critical RCE vulnerability at your cluster edge.

🦞🔐

Not sure if your NGINX config is vulnerable?

Let me check. Full infrastructure pentest: €3,000. Kubernetes security audit: included in retainer.

📩 DM @StackOfTruths on X

Free 15-min consultation. No hard sell. Just honest answers about your exposure.

Post on X

🦞 Stacking truths daily 🤡