NGINX Rift: 18-Year Failure in the World’s Most Deployed Web Server Under Active Exploitation
Critical vulnerability CVE-2026-42945, present in NGINX since 2008, was actively exploited three days after proof of concept publication. It affects all versions between 0.6.27 and 1.30.0, responsible for 32.8% of global web servers.
Five days were sufficient. On 13 May 2026, F5 and the research firm depthfirst publicly disclosed CVE-2026-42945, dubbed "NGINX Rift", a critical heap buffer overflow vulnerability in the NGINX rewrite module. A proof of concept code was published on the same day. According to VulnCheck, active exploitation attempts were detected as early as 16 May, three days post-disclosure, and HelpNetSecurity formally confirmed in-the-wild exploitation on 18 May 2026. The window between exploit publication and in-production attacks shrank to less than a week.
The scope of the issue is considerable. According to W3Techs, as of March 2026, NGINX accounted for 32.8% of all tracked web servers, maintaining its lead over Apache, which held 24.1%. This entire universe of servers, including NGINX Plus from R32 to R36, was exposed to a bug introduced in NGINX 0.6.27 in 2008, 18 years ago.
The Mechanics of the Flaw
CVE-2026-42945 resides in the ngx_http_rewrite_module, the component responsible for processing URL rewriting directives. The flaw occurs when a rule combines an unnamed PCRE capture, such as $1 or $2, with a question mark character in the substitution text. The script engine calculates the size of the destination buffer using one escape method and performs the write using another, incompatible method. Characters such as +, %, and & expand in the second step, causing writes beyond the limits of the allocated heap, without any prior authentication from the attacker.
The CVSS v4 score of the vulnerability is 9.2 and the CVSS v3.1 score is 8.1. In default configurations, the outcome is denial of service via a single malformed HTTP request. Researcher Kevin Beaumont and VulnCheck warned that if the attacker manages to disable ASLR on the target server, the flaw can be escalated to remote code execution without the need for credentials.
The long lifecycle of the bug can be explained by the affected code path, which requires a specific combination of directives absent in the reference configurations of the official documentation. Administrators who replicated standard examples never activated the rewrite module in this manner and remained protected by accident for 18 years.
Affected Versions and Remediation
The exposure window covers all versions of NGINX Open Source between 0.6.27 and 1.30.0, as well as NGINX Plus R32 to R36. F5 released patches in versions 1.30.1 on the stable branch and 1.31.0 on the mainline branch on the disclosure date, 13 May. For teams without an immediate maintenance window, there is a configurable mitigation: replacing unnamed PCRE captures with named captures in the affected rewrite directives, eliminating the condition that leads to the overflow.
Kubernetes environments operating ingress-nginx, the most widely used ingress controller based on NGINX in the ecosystem, are also within the same exposure radius. The controller processes URL rewrites as a core function, and standard installations of ingress-nginx with configured rewrite directives become vulnerable to the same vector. Platform administrators need to include in their remediation inventory the versions of NGINX embedded in container images and Helm charts, not just the direct installations on the operating system.
A Window That Has Already Closed for Many
The three-day interval between disclosure and the first documented exploitations by VulnCheck contrasts with the average gap of 5 to 15 days observed in recent critical vulnerabilities within web server infrastructure. This data is relevant for response teams: the safe window for evaluation before mass exploitation has virtually disappeared for this class of vulnerability.
Attack surface management platforms like Axonius and Orca Security reported NGINX instances that remained unremediated and accessible via the internet five days post-patch. This pattern is common in widely deployed web infrastructure components: legacy versions accumulate in frozen container images, in CI/CD pipelines that do not enforce base image renewal, and in servers provisioned before the adoption of modern vulnerability management practices. For organisations operating client-facing software platforms, NGINX Rift makes it urgent to conduct a cross-inventory of versions of this server, including what resides within build artefacts, not just what is currently running.