Researchers disclosed a critical 18-year-old heap buffer overflow in NGINX’s ngx_http_rewrite_module, codenamed NGINX Rift, that can enable remote code execution or denial-of-service through crafted HTTP requests. F5 also patched three additional vulnerabilities across NGINX Plus and NGINX Open Source, and advised users to upgrade or replace unnamed regex captures with named captures where needed. #NGINXRift #NGINX #F5 #CVE202642945 #CVE202642946 #CVE202640701 #CVE202642934
Keypoints
- A critical heap buffer overflow exists in ngx_http_rewrite_module.
- The flaw is tracked as CVE-2026-42945 and codenamed NGINX Rift.
- Unauthenticated attackers can trigger the issue with crafted HTTP requests.
- The bug may lead to remote code execution or repeated worker crashes.
- F5 also fixed three other NGINX vulnerabilities and urged immediate patching.
Read More: https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html