Critical NGINX Vulnerability CVE-2026-42945 Under Active Exploitation After PoC Release
Threat actors are actively exploiting a critical heap buffer overflow in NGINX (CVE-2026-42945) just days after F5 released patches and a public proof-of-concept emerged, with over 5.7 million internet-exposed servers potentially vulnerable.
Active exploitation of a critical-severity vulnerability in NGINX, tracked as CVE-2026-42945 and dubbed 'Nginx Rift,' has begun in the wild, according to a warning from VulnCheck. The flaw, a heap buffer overflow in the ngx_http_rewrite_module component, carries a CVSS score of 9.2 and lurked undetected in the NGINX codebase for 16 years. F5 released patches last week, but shortly afterward, security firm Depthfirst published technical details and proof-of-concept (PoC) exploit code, accelerating the threat landscape.
The vulnerability resides in the script engine's two-pass process for calculating buffer size and copying data. Under specific conditions, an unpropagated flag allows attacker-supplied data to be written past the heap boundary. On default deployments, successful exploitation triggers a server restart, causing a denial-of-service (DoS) condition. However, if Address Space Layout Randomization (ASLR) is disabled, the bug can lead to remote code execution (RCE). The flaw can be exploited remotely without authentication via crafted HTTP requests, but it requires a specific rewrite configuration to be present.
VulnCheck researcher Patrick Garrity reported seeing active exploitation on VulnCheck's canary systems. 'We're seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,' Garrity warned. While crashing an NGINX worker process is relatively trivial with a single crafted request, achieving RCE is more difficult because most deployments have ASLR enabled by default.
The scale of the potential attack surface is significant. VulnCheck noted that a Censys query surfaced approximately 5.7 million internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is likely a much smaller subset. The vulnerability affects both NGINX Plus and NGINX Open Source, making it a widespread concern for organizations relying on the popular web server, reverse proxy, and load balancer.
Security researchers are urging urgent patching, warning that wider exploitation attempts are inevitable, especially since the public PoC can be used to disable ASLR and achieve RCE. Organizations should immediately apply the patches released by F5 and review their NGINX configurations to ensure they are not running vulnerable versions or exposing the rewrite module unnecessarily. The rapid transition from patch to PoC to active exploitation underscores the critical importance of timely vulnerability management in the current threat environment.
VulnCheck researchers confirmed they observed exploitation attempts on their canary systems within days of the CVE's publication, and a public proof-of-concept exploit appeared the same day patches were released. While the heap buffer overflow (CVSS 9.2) can crash NGINX worker processes reliably, security researcher Kevin Beaumont noted that modern Linux distributions always enable ASLR, making remote code execution extremely unlikely in practice. Censys scans identified roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, underscoring the urgency for patching.
VulnCheck researcher Patrick Garrity reported that exploitation attempts began on May 16, three days after the PoC release. While denial-of-service is achievable on default configurations, code execution requires disabling ASLR on the target. F5 has released fixes for NGINX Open Source (1.31.0, 1.30.1), NGINX Plus (R36 P4, R32 P6), and other products, with AlmaLinux, Ubuntu, and Debian also issuing patches.