F5 patched an 18-year-old NGINX bug. Attackers can RCE a third of the web with one crafted request.

F5 patched an 18-year-old hole in NGINX yesterday. The bug, tracked as CVE-2026-42945 and named NGINX Rift by its discoverer, gives any unauthenticated attacker remote code execution against a heap-corrupted worker. NGINX runs roughly a third of the web.

The flaw lives in ngx_http_rewrite_module, the directive most operators use to do URL rewriting and capture-group substitution. depthfirst, an autonomous code-analysis platform run by Leo Lin’s team, scanned the NGINX tree on April 18, surfaced the bug six hours later, and had a working RCE in hand a week after that. F5 confirmed the issue, shipped patches on May 13, and dropped a coordinated advisory the same day. CVSS v4: 9.2. No known exploitation in the wild yet.

How a flag desynced two engines

NGINX’s script engine runs every rewrite twice: once to figure out how big the output buffer needs to be, once to actually fill it. The bug is that the two passes don’t share state on a single internal flag, is_args.

When a rewrite directive contains a question mark followed by a set referencing an unnamed capture group, the length phase runs with a freshly zeroed sub-engine. is_args reads as 0, so capture-group characters are sized as one byte each. The copy phase runs with the main engine, where is_args is now 1, so the same characters get URI-escaped on the way out. Three bytes go where one was sized for. The worker’s heap allocator hands back a too-small pos, and ngx_escape_uri walks past the end.

depthfirst’s writeup is blunt about the exploit primitive: “The destination buffer pos was allocated with raw_size, but ngx_escape_uri expands the characters and writes the much larger raw_size + 2 * N bytes.” With heap feng shui on the worker’s memory pool, that overflow turns into arbitrary write, then arbitrary code execution as the nginx user.

The trigger config is unfortunately ordinary:

rewrite ^/api/(.*)$ /internal?migrated=true;
set $original_endpoint $1;

Any API-gateway pattern that captures unnamed groups and rewrites with a ? in the replacement is exposed. That includes default-shaped configs in Kubernetes ingress, plenty of WordPress front-ends, and most of the legacy reverse-proxy boilerplate copy-pasted across the internet for the past decade.

What’s actually affected

F5’s advisory lists 13 product lines as exposed:

• NGINX Open Source: 0.6.27 through 1.30.0. The vulnerable commit shipped in 2008.
• NGINX Plus: R32 through R36.
• F5 NGINX App Protect WAF, NGINX Ingress Controller, Gateway Fabric, Instance Manager, and the F5 WAF for NGINX bundle.

Anything older than 0.6.27 (the genuinely ancient stuff) does not receive backported patches. If you’re still on a 2009-era binary, the answer is to upgrade the host, not to wait for a fix.

The patch and the workaround

For Open Source, the fix is in NGINX 1.31.0 and 1.30.1. Reload your workers after upgrade; running pools keep the unpatched code path until the master process re-execs. Plus customers want R36 P4 or R32 P6.

If you can’t upgrade in the next 48 hours, there’s a config-only mitigation that holds up: named captures ((?<name>...)) route through a different escaping path that doesn’t desync is_args. Rewriting an $1 to a (?<api_path>...) and a $api_path removes the attack surface without restarting workers. depthfirst confirmed the named-capture path is safe; F5’s advisory echoes it.

AlmaLinux’s security team already pushed a patched build into its testing repo and is staging promotion to stable this week. Debian, Ubuntu and RHEL builds are tracking similarly. If you’re running a packaged distribution NGINX, watch your distro’s advisory feed today, not Friday.

What this means for you

If you operate NGINX in front of anything, even an internal Grafana, your patching window is right now, not the next maintenance Saturday. The Hacker News writeup notes that depthfirst published a PoC repo alongside the advisory, so any reasonable attacker has a working exploit by lunchtime. depthfirst’s team framed the access bar honestly: “there is no authentication step, no prior access requirement, and no need for an existing session.”

This is also the second high-severity bug an AI-driven analyzer has surfaced in widely deployed open-source infrastructure in two weeks, after Mozilla’s Mythos run found 271 Firefox flaws. The trend is unmistakable: 18-year-old logic bugs are getting flushed out by tooling that doesn’t get bored. The same tooling is also in the hands of the people you don’t want finding them first. Patch today.