[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8CkK2ap2BPNsE3ZvMYw36j5zbbR1NnN6wMglir8cmR0":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"632b8a20-2ba0-4d68-a5e0-e8c430e4d85d","18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE","18-year-old-nginx-rewrite-module-flaw-enables-unauthenticated-rce-af295a","Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a","Researchers disclosed CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module that went undetected for 18 years. The flaw allows unauthenticated remote attackers to achieve code execution or DoS by sending crafted HTTP requests with specific PCRE capture patterns. F5 released patches across multiple NGINX Plus and Open Source versions after responsible disclosure in April 2026.","18-year-old NGINX rewrite module heap buffer overflow enables unauthenticated RCE","18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Ravie LakshmananMay 14, 2026Vulnerability \u002F Web Server Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift. \"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,\" F5 said in an advisory released Wednesday. \"This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?).\" \"An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.\" The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 - NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4) NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0) NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned) NGINX Instance Manager 2.16.0 - 2.21.1 F5 WAF for NGINX 5.9.0 - 5.12.1 NGINX App Protect WAF 4.9.0 - 4.16.0 NGINX App Protect WAF 5.1.0 - 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 - 4.7.0 NGINX Gateway Fabric 1.3.0 - 1.6.2 NGINX Gateway Fabric 2.0.0 - 2.5.1 NGINX Ingress Controller 3.5.0 - 3.7.2 NGINX Ingress Controller 4.0.0 - 4.0.1 NGINX Ingress Controller 5.0.0 - 5.4.1 In its own advisory, depthfirst said the vulnerability could allow a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a crafted URI. What makes the vulnerability severe is that it's reachable without authentication, can be reliably used to trigger the heap overflow, and can lead to remote code execution in the NGINX worker process. \"An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution,\" depthfirst said. \"There is no authentication step, no prior access requirement, and no need for an existing session.\" \"The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random. Repeated requests can also be used to keep workers in a crash loop and degrade availability for every site served by the instance.\" Also patched in NGINX Plus and NGINX Open Source are three other flaws - CVE-2026-42946 (CVSS v4 score: 8.3) - An excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server to read the memory of the NGINX worker process or restart it when scgi_pass or uwsgi_pass is configured. CVE-2026-40701 (CVSS v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module module that could allow a remote, unauthenticated attacker to have limited control of modification of data or restart the NGINX worker process when the ssl_verify_client directive is set to \"on\" or \"optional,\" and the ssl_ocsp directive is set to \"on.\" CVE-2026-42934 (CVSS v4 score: 6.3) - An out-of-bounds read vulnerability in the ngx_http_charset_module module that could allow a remote, unauthenticated attacker to disclose memory contents or restart the NGINX worker process when charset, source_charset, and charset_map, and proxy_pass with disabled buffering (\"off\") directives are configured. Users are advised to apply the latest versions for optimal protection. If immediate patching is not an option for CVE-2026-42945, users are advised to change the rewrite configuration by replacing unnamed captures with named captures in every affected rewrite directive. Update A newly released proof-of-concept (PoC) exploit for CVE-2026-42945 includes an \"ASLR-bypass chain that combines the NGINX overflow with a common same-host LFI\u002Farbitrary-file-read primitive,\" allowing unauthenticated remote code execution against servers using rewrite and set directives. \"The working chains do not disable ASLR and do not use the original hardcoded heap\u002Flibc addresses,\" depthfirst said. \"Instead, they derive runtime state through same-port HTTP-accessible primitives, then select the final heap target from remotely obtained disclosure data.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Application Security, cybersecurity, denial of service, F5, NGINX, remote code execution, Vulnerability, Web Server ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002F18-year-old-nginx-rewrite-module-flaw.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhhCvxtNv7UYYMCITB2HLsBgkN83LdRXcw0wmP9gMAfXeNpmJoOJKNIaQb55b-GLDeQHx-dUBkASGDYgstnvYAE5eFuwyzMSxY804fn56OaTsGlESOab9y-kFHJ-iV5iUlWrc5j27WLduUDhW6nRSjkv5tFMKZjDbbmDdk7_NMZ3y7sipHKy7t4XuMQ9YfG\u002Fs1600\u002Fnn.gif","2026-05-14T06:00:09+00:00","2026-05-14T08:00:17.460266+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"NGINX Plus","product",{"name":22,"type":20},"NGINX Open Source",{"name":24,"type":20},"NGINX Ingress Controller",{"name":26,"type":20},"NGINX App Protect WAF",{"name":28,"type":29},"F5","vendor",{"name":31,"type":32},"depthfirst","threat_actor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[45,49,52,55],{"type":46,"value":47,"context":48},"cve","CVE-2026-42945","Critical heap buffer overflow in ngx_http_rewrite_module, CVSS 9.2, enables unauthenticated RCE",{"type":46,"value":50,"context":51},"CVE-2026-42946","Excessive memory allocation in ngx_http_scgi_module and ngx_http_uwsgi_module, CVSS 8.3",{"type":46,"value":53,"context":54},"CVE-2026-40701","Use-after-free in ngx_http_ssl_module, CVSS 6.3",{"type":46,"value":56,"context":57},"CVE-2026-42934","Out-of-bounds read in ngx_http_charset_module, CVSS 6.3"]