### NGINX Rift: A Deep Dive into CVE-2026-42945 The vulnerability, discovered by **depthfirst**, resides in the `ngx_http_rewrite_module`. According to **F5**, the vulnerability exists when the `rewrite` directive is followed by a `rewrite`, `if`, or `set` directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (e.g., $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker, under certain conditions, can exploit this flaw by sending crafted HTTP requests. This can lead to a heap buffer overflow in the NGINX worker process, potentially causing a restart or, if Address Space Layout Randomization (ASLR) is disabled, remote code execution. ### Affected Versions and Patch Information The issue has been addressed in the following versions after responsible disclosure on April 21, 2026: * NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4) * NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0) * NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned) * NGINX Instance Manager 2.16.0 - 2.21.1 * F5 WAF for NGINX 5.9.0 - 5.12.1 * NGINX App Protect WAF 4.9.0 - 4.16.0 * NGINX App Protect WAF 5.1.0 - 5.8.0 * F5 DoS for NGINX 4.8.0 * NGINX App Protect DoS 4.3.0 - 4.7.0 * NGINX Gateway Fabric 1.3.0 - 1.6.2 * NGINX Gateway Fabric 2.0.0 - 2.5.1 * NGINX Ingress Controller 3.5.0 - 3.7.2 * NGINX Ingress Controller 4.0.0 - 4.0.1 * NGINX Ingress Controller 5.0.0 - 5.4.1 ### Exploitability and Impact Depthfirst's advisory highlights the severity of the vulnerability, noting that it allows a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a crafted URI. The ease of exploitation, coupled with the potential for remote code execution, makes this a critical issue. "An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution," depthfirst stated. "There is no authentication step, no prior access requirement, and no need for an existing session." Repeated requests can also be used to create a crash loop, significantly degrading availability for sites served by the affected instance. ### Additional Vulnerabilities Patched In addition to **CVE-2026-42945**, the latest NGINX releases also address the following vulnerabilities: * **CVE-2026-42946** (CVSS v4 score: 8.3): An excessive memory allocation vulnerability in the `ngx_http_scgi_module` and `ngx_http_uwsgi_module` modules, potentially allowing a remote attacker with adversary-in-the-middle (AitM) capabilities to read NGINX worker process memory or trigger a restart. * **CVE-2026-40701** (CVSS v4 score: 6.3): A use-after-free vulnerability in the `ngx_http_ssl_module` module, which could grant a remote attacker limited control over data modification or the ability to restart the NGINX worker process. * **CVE-2026-42934** (CVSS v4 score: 6.3): An out-of-bounds read vulnerability in the `ngx_http_charset_module` module, potentially enabling a remote attacker to disclose memory contents or restart the NGINX worker process. ### Mitigation and Recommendations Users are strongly advised to apply the latest NGINX versions to ensure optimal protection. If immediate patching is not feasible for **CVE-2026-42945**, a temporary workaround involves changing the rewrite configuration by replacing unnamed captures with named captures in every affected rewrite directive.