18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

Key Points:

• Cybersecurity researchers have uncovered multiple vulnerabilities in NGINX Plus and NGINX Open, including a critical heap buffer overflow flaw in the ngx_http_rewrite_module (CVE-2026-42945) that has existed unnoticed for 18 years and could enable remote code execution or denial-of-service attacks.
• The critical flaw, dubbed NGINX Rift, can be exploited by unauthenticated attackers sending specially crafted HTTP requests, with remote code execution possible on systems without ASLR enabled; it affects numerous NGINX versions and related products.
• Additional patched vulnerabilities include excessive memory allocation in ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), a use-after-free in ngx_http_ssl_module (CVE-2026-40701), and an out-of-bounds read in ngx_http_charset_module (CVE-2026-42934), all allowing potential memory disclosure or service disruption.
• Fixes have been released in various NGINX Plus and Open Source versions, and users are urged to update promptly or mitigate the critical flaw by modifying rewrite directives to use named PCRE captures instead of unnamed ones.
• The vulnerabilities highlight the importance of proactive security measures in widely used web server software, with no authentication required for exploitation, emphasizing the risk to internet-facing NGINX deployments.