← All articles

NGINX 'Rift' heap overflow CVE-2026-42945 now seeing exploitation attempts in VulnCheck honeypots

The 18-year-old heap overflow in NGINX's rewrite module, CVE-2026-42945, disclosed last week as part of the 'Rift' bug cluster, is now seeing real exploitation attempts. AI-native security firm VulnCheck says its honeypot networks have caught attackers probing the flaw, though the goal of the campaigns is not yet clear. The vulnerability lets an unauthenticated attacker crash NGINX worker processes by sending crafted HTTP requests. Turning that crash into remote code execution requires the target host to have Address Space Layout Randomization (ASLR) disabled, which is uncommon by default, but the worker-crash denial-of-service is exploitable on its own and rated urgent.

Check
Search NGINX error logs for unusual worker crashes since 2026-05-13. Identify servers running NGINX open source before 1.30.1/1.31.0 or NGINX Plus before R32 P6 / R36 P4.
Affected
NGINX open source 0.6.27 through 1.30.0; NGINX Plus R32 through R36. Exploitable for DoS by default; RCE requires ASLR disabled on the target host.
Fix
Upgrade open source NGINX to 1.30.1 (stable) or 1.31.0 (mainline), or NGINX Plus to R32 P6 / R36 P4. Confirm ASLR remains enabled (default on supported Linux distributions).