18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

Staff Editor 2026-05-14
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

Publish Date: 2026-05-14 02:00:00

Source Domain: thehackernews.com

Ravie LakshmananMay 14, 2026Vulnerability / Web Server

Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years.

The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift.

“NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,” F5 said in an advisory released Wednesday. “This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?).”

“An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.”

The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 –

  • NGINX Plus R32 – R36 (Fixes introduced in R32 P6 and R36 P4)
  • NGINX Open Source 1.0.0 – 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0)
  • NGINX Open Source 0.6.27 – 0.9.7 (No fixes planned)
  • NGINX Instance Manager 2.16.0 – 2.21.1
  • F5 WAF for NGINX 5.9.0 – 5.12.1
  • NGINX App Protect WAF 4.9.0 – 4.16.0
  • NGINX App Protect WAF 5.1.0 – 5.8.0
  • F5 DoS for NGINX 4.8.0
  • NGINX App Protect DoS 4.3.0 – 4.7.0
  • NGINX Gateway Fabric 1.3.0 – 1.6.2
  • NGINX Gateway Fabric 2.0.0 – 2.5.1
  • NGINX Ingress Controller 3.5.0 – 3.7.2
  • NGINX Ingress Controller 4.0.0 – 4.0.1
  • NGINX Ingress Controller 5.0.0 – 5.4.1

In its own advisory, depthfirst said the…

Source

More Stories

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Staff Editor 2026-06-06
Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Staff Editor 2026-06-06
U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog

U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy