NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

Check

Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.

Affected

NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.

Fix

Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.