A critical vulnerability in NGINX, tracked as CVE‑2026‑42945, has been exploited in the wild against internet‑facing web servers, causing urgent concern for organizations running NGINX Open Source or NGINX Plus. The flaw, which carries a CVSS score of 9.2 (Critical), is located in the ngx_http_rewrite_module and grants unauthenticated attackers the ability to crash worker processes or, in certain configurations, remote code execution (RCE) through specially crafted HTTP requests.
Security firms such as VulnCheck, and depthfirst have observed attempted exploitation of honeypot NGINX instances, and thus the vulnerability is no longer theoretical. The United States’ NVD entry and vendor advisories from F5 characterize the issue as a heap buffer overflow when an unnamed PCRE (Perl‑Compatible Regular Expression) capture (e.g., $1, $2) within a rewrite directive’s replacement string contains a question mark (?).
How this vulnerability works
The root cause of CVE-2026-42945 goes back to a piece of code added to the NGINX codebase in 2008. The vulnerability is a severe heap buffer overflow that is located within string replacement logic in the NGINX rewrite module.
The buggy appears if there is a configuration block that contains a rewrite directive followed by another rewrite, if, or set directive, which references a PCRE capture without names and contains a ? in the replacement string (NGINX 1, n.d.).
# EXTREMELY VULNERABLE CONFIGURATION PATTERN
location ~ ^/api/(.*)$ {
rewrite ^/api/(.*)$ /internal_gateway?route=$1 last;
set $original_endpoint $1;
There is a fatal state mismatch between NGINX’s internal length calculation phase versus the actual data copying phase, when processing an incoming, malicious HTTP request meant to exploit this rule.
- The Allocation Phase: In calculating the number of bytes needed to hold a rewritten URI, the engine views the regex capture variable as a sequence of unescaped bytes. It allocates a static buffer on the heap with the restricted length.
- The Copying/Escaping Phase: In the execution phase, the engine considers the data captured as active variables of arguments that need to be escaped using URL. Again, if the malicious request contains member characters whose values are set to expand when escaped (like +, %, or &), one byte is converted into three bytes.
- The Overflow: Since the destination heap buffer was only allocated to contain the raw length, the expanded, escaped output overruns the allocated memory boundaries. This out-of-bounds write overwrites adjacent heap segments with attacker-controlled data, instantly crashing the running NGINX worker thread.
CERT‑In’s warning to Indian organizations
CERT‑In, India’s national‑level cybersecurity agency, has issued a Vulnerability Note CIVN‑2026‑0239 detailing multiple vulnerabilities in NGINX products, including the rewrite‑module processing issue responsible for the CVE‑2026‑42945. NGINX: The advisory warns of exploits like arbitrary command execution, memory corruption, and service disruptions on affected systems.
The guidance from CERT‑In is directed towards all organizations and individual users hosting any services based on NGINX in India, requiring them to:
- Rewrite patterns vulnerable to (audit) configurations.
- Apply official patches or upgrade to the fixed NGINX versions.
- Log files should be monitored for any unusual HTTP traffic patterns that may indicate exploitation attempts.
Since NGINX is extensively used for corporate websites, application gateways, and internal tools, this CERT‑In note effectively makes this a national‑priority patching exercise for enterprises in India. CERT‑In’s note thus makes this a national‑priority patching exercise for Indian enterprises, given the widespread use of NGINX for corporate websites, application gateways, and internal tools.
Affected Deployments and Enterprise Exposure
The operational blast radius of NGINX Rift covers almost two decades of software releases, revealing legacy monolithic on-premises architectural patterns and the latest containerized NGINX deployments:
| Product | Branch | Versions known to be vulnerable | Fixes introduced in | Severity/ CVSS score | Vulnerable component or feature |
| NGINX Plus | 37.x | None | 37.0.0 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | The ngx_http_rewrite_module module |
| Rx | R32 – R36 | R36 P4 R32 P6 | |||
| NGINX Open Source | 1.x | 1.0.0 – 1.30.0 | 1.31.0 1.30.1 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | The ngx_http_rewrite_module module |
| 0.x | 0.6.27 – 0.9.7 | Will not fix | |||
| NGINX Instance Manager | 2.x | 2.16.0 – 2.22.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Open Source software components |
| F5 WAF for NGINX | 5.x | 5.9.0 – 5.12.1 | 5.13.0 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX App Protect WAF | 5.x | 5.1.0 – 5.8.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| 4.x | 4.9.0 – 4.16.0 | None | |||
| F5 DoS for NGINX | 4.x | 4.8.0 | 4.9.0 | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX App Protect DoS | 4.x | 4.3.0 – 4.7.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus software components |
| NGINX Gateway Fabric | 2.x | 2.0.0 – 2.6.0 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus or NGINX Open Source software components |
| 1.x | 1.3.0 – 1.6.2 | None | |||
| NGINX Ingress Controller | 5.x | 5.0.0 – 5.4.2 | None | High/8.1 (CVSS v3.1) Critical/9.2 (CVSS v4.0) | Base NGINX Plus or NGINX Open Source software components |
| 4.x | 4.0.0 – 4.0.1 | None | |||
| 3.x | 3.5.0 – 3.7.2 | None | |||
| NGINX (all other products) | All | None | Not applicable | Not vulnerable | None |
The same vulnerable ngx_http_script.c code is shared between all the listed downstream projects and the Kubernetes ingress-nginx project, meaning all of them should be regarded as affected until their maintainers ship patched releases.
While enterprise maintainers write that weaponizing this heap overflow into a stable RCE requires bypassing systemic ASLR, the threat cannot be minimized. A sustained worker-crash DoS is trivially maintained by flooding HTTP requests, blinding an enterprise’s external application gateway and bringing down dependent web services.
Immediate Fixation Listings: Defending Your Architecture
To nullify the CVE-2026-42945 risk and satisfy compliance with the CERT-In CIVN-2026-0239 mandate, system administrators and security operations teams must immediately execute a structured remediation strategy.
1. Discover and Audit High-Risk Configs
Do not wait for standard external vulnerability scanners since edge proxies often hide some details about configurations from the network scans. Search all the configuration directories for NGINX to identify exact locations of using unnamed captures with rewrites:
grep -RInE ‘rewrite|set |\$[0-9]|if \(‘ /etc/nginx/
Additionally, check that your host OS has system-wide ASLR fully enforced. The value of 2 means that the layout randomization at the kernel level is in effect:
cat /proc/sys/kernel/randomize_va_space
2. Implement Immediate Configuration Mitigations
If production constraints prevent immediate binary upgrades or the complete rebooting of server machines, the vulnerability path is eliminated by rewriting one’s configuration logic. Use explicit, named PCRE regular expression captures instead of the known vulnerability path of unnamed captures ($1, $2).
Named captures entirely circumvent the faulty memory calculation logic associated with the rewrite module.
- Vulnerable Pattern: rewrite ^/users/([0-9]+)/(.*)$ /profile.php?id=$1&session=$2 last;
- Secure Mitigated Pattern: rewrite ^/users/(?<userid>[0-9]+)/(?<usersession>.*)$ /profile.php?id=$myid&session=$usersession last;
3. Execute Official Upgrades and Process Restarts
Permanent remediation requires a complete migration past the vulnerable version boundaries. Ensure that updated packages are pulled from upstream distribution repositories and deployed to all internet-facing load balancers, API gateways, and Kubernetes Ingress nodes.
Secure Target Versions: NGINX Open Source 1.30.1, 1.31.0 or later; NGINX Plus R32 P6, R36 P4, or R37.0.0.
CRITICAL OPERATIONAL NOTE: Simply running a package upgrade or executing nginx -s reload is insufficient to neutralize this flaw. A standard configuration reload leaves old, vulnerable worker processes alive in memory to handle existing connections. To enforce protection, a full service restart must be executed to kill old processes and spawn secure worker threads:
Bash
sudo systemctl restart nginx
4. Detection and Monitoring
- Monitor NGINX error logs for unexpected worker process restarts:
Bash
journalctl -u nginx | grep -i “signal.*SIGSEGV\|worker process.*exited”
- Review access logs for suspicious patterns — long sequences of percent-encoded bytes hitting rewrite endpoints.
- Deploy WAF rules (if using NGINX App Protect WAF, upgrade to 5.13.0).
5. Downstream Dependency Check
Verify OpenResty, Kong, APISIX, ingress-nginx, Tengine, and any other NGINX-derived deployments in your stack.
Check container images and Kubernetes ingress controllers – they may bundle vulnerable NGINX versions.
Why this matters for organisations’s security posture
The NGINX Rift vulnerability is a sobering reminder that critical bugs can sleep in widely trusted, battle-tested codebases for decades. An automated AI-assisted review found in six hours what 18 years of manual audits and millions of deployments had missed. As AI-driven vulnerability discovery accelerates, the cadence of “old codebase, new CVE” disclosures will only intensify.
Communicating this vulnerability in plain‑language terms-for example, “a bug in URL‑rewriting rules that can crash your web server or let hackers run unwanted commands”-helps non‑technical stakeholders appreciate the risk without obscuring key technical details such as ASLR, heap overflows, and PCRE captures.
In this incident, Qualysec Technology can leverage this issue as a concrete case study for patch management, configuration auditing, and threat-driven consulting. For incident response report and vulnerability assessment aligned with CERT-In checklists and NGINX specific best practice references and rapid fix scripts into client ready bullentins, contact Qualysec Technology now!
