CVE-2026-42945, dubbed "NGINX Rift" by AlmaLinux researchers, is a heap buffer overflow in nginx's ngx_http_rewrite_module — the component that handles rewrite, if, and set directives. The vulnerability has existed in nginx since version 0.6.27, released in 2008, making it an 18-year-old flaw that survived every audit, version bump, and security review in nginx's history. It was disclosed between April 18–21, 2026, and active exploitation was confirmed within days.

CVE-2026-42945 — NGINX Rift
Heap Buffer Overflow in ngx_http_rewrite_module
CVSS: 9.2 Critical  ·  Affected: nginx 0.6.27 – 1.30.0  ·  Auth required: None

A heap buffer overflow occurs when a rewrite directive is followed by rewrite, if, or set directives that use unnamed PCRE capture groups ($1, $2, etc.) in the replacement string containing a question mark (?). The overflow enables both Denial of Service and — under exploitable conditions — unauthenticated Remote Code Execution. The vulnerability is in the nginx worker process; exploitation causes worker crash at minimum, and code execution under favorable memory layout conditions.

Technical Detail: What Triggers the Overflow

The vulnerability is triggered by a specific combination of rewrite directives. A configuration using unnamed PCRE capture groups in combination with a query string redirect is the primary trigger pattern. Example of a vulnerable configuration:

# VULNERABLE — do not use
location /old/ {
    rewrite ^/old/(.*)$ /new/$1?migrated last;
}

The safe equivalent uses named capture groups, which avoids the vulnerable code path entirely:

# SAFE — named capture group avoids the overflow
location /old/ {
    rewrite ^/old/(?<path>.*)$ /new/${path}?migrated last;
}
CVE-2026-40701
Use-After-Free in OCSP Resolver
High  ·  Same patch batch as CVE-2026-42945

A memory safety flaw in nginx's OCSP certificate validation logic. The OCSP resolver processes certificate revocation responses; a use-after-free condition can be triggered when handling malformed or adversarially crafted OCSP responses. Fixed in the same release as NGINX Rift.

CVE-2026-42926
HTTP/2 Request Injection
High  ·  Same patch batch as CVE-2026-42945

Allows injection of malformed HTTP/2 requests through a flaw in nginx's HTTP/2 frame processing. An attacker can craft requests that cause nginx to forward malformed data to upstream servers, potentially enabling request smuggling or upstream cache poisoning depending on the backend configuration.

Remediation — Upgrade nginx

The primary fix is to upgrade nginx to a patched version. All three CVEs are addressed in the same release.

Patched versions:

nginx Open Source: 1.30.1 (stable) or 1.31.0 (mainline)
nginx Plus:        R36 P4 / R32 P6

Ubuntu / Debian (nginx from official nginx repo):

sudo apt update && sudo apt install --only-upgrade nginx
nginx -v  # confirm version is 1.30.1 or higher
sudo systemctl reload nginx

RHEL / CentOS / AlmaLinux / Rocky:

sudo dnf update nginx -y
nginx -v
sudo systemctl reload nginx

Compile from source (if using custom build):

# Download patched source
wget https://nginx.org/download/nginx-1.30.1.tar.gz
tar -xzf nginx-1.30.1.tar.gz
cd nginx-1.30.1

# Use your existing configure flags (check nginx -V for current flags)
./configure $(nginx -V 2>&1 | grep "configure arguments" | sed 's/configure arguments: //')
make
sudo make install
sudo systemctl restart nginx

Verify the running version:

nginx -v
# Expected: nginx version: nginx/1.30.1 (or higher)

# Check for vulnerable rewrite patterns in your config
grep -rn 'rewrite.*\$[0-9].*?' /etc/nginx/

Temporary Mitigation (if upgrade is not immediately possible)

If you cannot upgrade nginx immediately, the following steps reduce exposure. These are not substitutes for patching.

# 1. Audit your nginx config for vulnerable rewrite patterns
grep -rn 'rewrite' /etc/nginx/ | grep '\$[0-9]' | grep '?'

# 2. Replace unnamed captures ($1, $2) with named captures in any matches found
#    Change: rewrite ^/path/(.*)$ /new/$1?param last;
#    To:     rewrite ^/path/(?<slug>.*)$ /new/${slug}?param last;

# 3. Test config and reload
sudo nginx -t && sudo systemctl reload nginx
"NGINX Rift is the regreSSHion story for 2026 — an 18-year-old flaw in one of the most deployed pieces of software on the internet, hiding in a feature that millions of configurations use every day."

nginx serves roughly 34% of all active websites. CVE-2026-42945's combination of wide reach, long dormancy, and unauthenticated exploitation makes it one of the highest-priority patches of 2026. Unlike vulnerabilities that require specific conditions or attacker proximity, NGINX Rift can be triggered by any HTTP client that sends a request matching a vulnerable rewrite rule — meaning internet-facing deployments with affected configurations are exposed to the entire internet. Check your version. Patch today.