CVE-2026-42945, dubbed "NGINX Rift" by AlmaLinux researchers, is a heap buffer overflow in nginx's ngx_http_rewrite_module — the component that handles rewrite, if, and set directives. The vulnerability has existed in nginx since version 0.6.27, released in 2008, making it an 18-year-old flaw that survived every audit, version bump, and security review in nginx's history. It was disclosed between April 18–21, 2026, and active exploitation was confirmed within days.
A heap buffer overflow occurs when a rewrite directive is followed by rewrite, if, or set directives that use unnamed PCRE capture groups ($1, $2, etc.) in the replacement string containing a question mark (?). The overflow enables both Denial of Service and — under exploitable conditions — unauthenticated Remote Code Execution. The vulnerability is in the nginx worker process; exploitation causes worker crash at minimum, and code execution under favorable memory layout conditions.
Technical Detail: What Triggers the Overflow
The vulnerability is triggered by a specific combination of rewrite directives. A configuration using unnamed PCRE capture groups in combination with a query string redirect is the primary trigger pattern. Example of a vulnerable configuration:
# VULNERABLE — do not use
location /old/ {
rewrite ^/old/(.*)$ /new/$1?migrated last;
}
The safe equivalent uses named capture groups, which avoids the vulnerable code path entirely:
# SAFE — named capture group avoids the overflow
location /old/ {
rewrite ^/old/(?<path>.*)$ /new/${path}?migrated last;
}
A memory safety flaw in nginx's OCSP certificate validation logic. The OCSP resolver processes certificate revocation responses; a use-after-free condition can be triggered when handling malformed or adversarially crafted OCSP responses. Fixed in the same release as NGINX Rift.
Allows injection of malformed HTTP/2 requests through a flaw in nginx's HTTP/2 frame processing. An attacker can craft requests that cause nginx to forward malformed data to upstream servers, potentially enabling request smuggling or upstream cache poisoning depending on the backend configuration.
Remediation — Upgrade nginx
The primary fix is to upgrade nginx to a patched version. All three CVEs are addressed in the same release.
Patched versions:
nginx Open Source: 1.30.1 (stable) or 1.31.0 (mainline) nginx Plus: R36 P4 / R32 P6
Ubuntu / Debian (nginx from official nginx repo):
sudo apt update && sudo apt install --only-upgrade nginx
nginx -v # confirm version is 1.30.1 or higher
sudo systemctl reload nginx
RHEL / CentOS / AlmaLinux / Rocky:
sudo dnf update nginx -y nginx -v sudo systemctl reload nginx
Compile from source (if using custom build):
# Download patched source wget https://nginx.org/download/nginx-1.30.1.tar.gz tar -xzf nginx-1.30.1.tar.gz cd nginx-1.30.1 # Use your existing configure flags (check nginx -V for current flags) ./configure $(nginx -V 2>&1 | grep "configure arguments" | sed 's/configure arguments: //') make sudo make install sudo systemctl restart nginx
Verify the running version:
nginx -v # Expected: nginx version: nginx/1.30.1 (or higher) # Check for vulnerable rewrite patterns in your config grep -rn 'rewrite.*\$[0-9].*?' /etc/nginx/
Temporary Mitigation (if upgrade is not immediately possible)
If you cannot upgrade nginx immediately, the following steps reduce exposure. These are not substitutes for patching.
# 1. Audit your nginx config for vulnerable rewrite patterns grep -rn 'rewrite' /etc/nginx/ | grep '\$[0-9]' | grep '?' # 2. Replace unnamed captures ($1, $2) with named captures in any matches found # Change: rewrite ^/path/(.*)$ /new/$1?param last; # To: rewrite ^/path/(?<slug>.*)$ /new/${slug}?param last; # 3. Test config and reload sudo nginx -t && sudo systemctl reload nginx
"NGINX Rift is the regreSSHion story for 2026 — an 18-year-old flaw in one of the most deployed pieces of software on the internet, hiding in a feature that millions of configurations use every day."
nginx serves roughly 34% of all active websites. CVE-2026-42945's combination of wide reach, long dormancy, and unauthenticated exploitation makes it one of the highest-priority patches of 2026. Unlike vulnerabilities that require specific conditions or attacker proximity, NGINX Rift can be triggered by any HTTP client that sends a request matching a vulnerable rewrite rule — meaning internet-facing deployments with affected configurations are exposed to the entire internet. Check your version. Patch today.