Skip to content
.ca
sign in
4 mincritical

CVE-2026-42945: Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX

CVE-2026-42945, dubbed 'NGINX Rift', is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module (ngxhttprewrite_module). It allows unauthenticated attackers to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE) by sending crafted HTTP requests to servers configured with specific rewrite directives containing unnamed PCRE captures and a question mark.

Sens:ImmediateConf:highAnalyzed:2026-05-19Google

Authors: Akamai Security Intelligence Group

RCEVulnerability DisclosureDenial of ServiceNGINXCVE-2026-42945Heap Buffer OverflowDoS

Source:Akamai

IOCs · 1

Detection / HunterGoogle

What Happened

A critical security flaw known as 'NGINX Rift' has been discovered in NGINX, a widely used web server software. The vulnerability affects servers using specific configurations for rewriting web addresses. If exploited, attackers can crash the server, causing an outage, or potentially take control of it. Organizations using NGINX should immediately apply the latest security patches provided by the vendor to protect their systems.

Key Takeaways

  • CVE-2026-42945 (NGINX Rift) is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module.
  • The vulnerability is triggered by unauthenticated HTTP requests with extensive repeating patterns against specific rewrite configurations.
  • Exploitation primarily results in Denial of Service (DoS) via worker process crashes, though Remote Code Execution (RCE) is possible if ASLR is bypassed.
  • Vulnerable configurations must include unnamed PCRE regular expression captures (e.g., $1) and a question mark (?) in the replacement string.
  • Patches are available for NGINX Open Source and NGINX Plus; immediate updates are strongly recommended.

Affected Systems

  • NGINX Open Source versions 1.0.0 through 1.30.0
  • NGINX Open Source legacy versions 0.6.27 through 0.9.7
  • NGINX Plus Release 36 (R36 to R36 P3)
  • NGINX Plus Release 32 (R32 to R32 P5)
  • NGINX Plus Releases 33, 34, and 35
  • NGINX Ingress Controller
  • NGINX Gateway Fabric
  • NGINX Instance Manager

Vulnerabilities (CVEs)

  • CVE-2026-42945

Attack Chain

An unauthenticated attacker sends a specially crafted HTTP request containing extensive repeating patterns, such as continuous '+' characters. The NGINX HTTP rewrite module processes this input against a vulnerable configuration containing unnamed PCRE captures and a question mark. The input bypasses standard length checks, causing a heap buffer overflow that crashes the worker process (DoS). If the attacker can bypass ASLR using an information leak and precise heap grooming, the memory corruption can be escalated to achieve Remote Code Execution (RCE).

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Akamai App & API Protector

Akamai has deployed an Adaptive Security Engine Rapid Rule (3000983) for App & API Protector customers to detect and block exploitation attempts.

Detection Engineering Assessment

EDR Visibility: Low — The vulnerability occurs in memory within the NGINX worker process. EDR might only detect the resulting crash (DoS) or post-exploitation activity if RCE is successfully achieved. Network Visibility: High — The exploit is delivered via HTTP requests containing extensive repeating patterns (like continuous '+' characters), which can be inspected by WAFs and network monitoring tools. Detection Difficulty: Moderate — Detecting the DoS crashes is straightforward, but identifying the specific exploit payload requires deep packet inspection or WAF rules capable of identifying anomalous repeating characters in HTTP requests.

Required Log Sources

  • Web Server Access Logs
  • WAF Logs
  • Application Crash Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for HTTP requests containing unusually long strings of repeating characters (e.g., '+') directed at endpoints known to utilize NGINX rewrite rules.WAF LogsInitial AccessLow
If you have visibility into application health, monitor for frequent, unexplained crashes or restarts of NGINX worker processes, which may indicate attempted DoS or failed RCE exploitation.System Event LogsImpactMedium

Control Gaps

  • Lack of WAF inspection on internal NGINX routing
  • Missing ASLR or memory protections on legacy systems

Key Behavioral Indicators

  • Frequent NGINX worker process crashes
  • HTTP requests with extensive repeating characters bypassing standard length checks

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Identify all NGINX instances in your environment and audit their configurations for the vulnerable rewrite module pattern (unnamed PCRE captures combined with a '?' in the replacement string).
  • Apply the latest patches provided by the vendor (e.g., 1.30.1, 1.31.0, R36 P4, R32 P6) to affected systems.

Infrastructure Hardening

  • Consider implementing or updating Web Application Firewall (WAF) rules to inspect and block HTTP requests containing anomalous repeating character sequences.
  • Evaluate whether legacy NGINX versions (0.6.27 through 0.9.7) can be decommissioned or manually reconfigured to avoid the vulnerable rewrite directives.

User Protection

  • N/A

Security Awareness

  • N/A

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1499.004 - Endpoint Denial of Service: Application or Service Exhaustion

Related