Nginx Vulnerability Exploited by Hackers Affects NGINX and F5 Products

Post Views: 12

Security Flaw in NGINX Web Server Exposes Systems to Denial-of-Service Attacks

A recently discovered high-severity security flaw, known as CVE-2026-42945 or Nginx Rift, affects NGINX, a widely used open-source web server software.

Vulnerability Overview

The vulnerability is a heap-based buffer overflow (CWE-122) located within the ngx_http_rewrite_module and impacts NGINX Open Source versions 0.6.27 through 1.30.0, NGINX Plus versions R32 through R36, and several associated F5 products, including the NGINX Ingress Controller and F5 WAF for NGINX.

“This vulnerability allows an attacker to cause a denial-of-service condition by manipulating the NGINX configuration.”

— VulnCheck Vulnerability Researcher Patrick Garrity

Exploitation Details

To trigger this bug, a server administrator must have configured a specific setting involving a rewrite directive followed by another rewrite, if or set directive, with the rule utilizing an unnamed regular expression capture group pointing to a replacement string containing a literal question mark. An unauthenticated attacker can then craft a Uniform Resource Identifier (URI) to manipulate NGINX into making a calculation error when determining the required memory space, causing the system to overwrite data past its allocated memory block.

Potential Impact

According to a Censys query run by VulnCheck, approximately 5.7 million web servers are running potentially vulnerable NGINX versions. However, achieving remote code execution (RCE) requires disabling Address Space Layout Randomization (ASLR), a basic defense feature enabled by default in almost every operating system. As a result, VulnCheck considers the current exploitation primarily a Denial-of-Service (DoS) threat.

Recommendations

F5 has addressed the issue in NGINX Open Source versions 1.31.0 and 1.30.1, and NGINX Plus versions R36 P4 and R32 P6. Linux distributors for Ubuntu, Debian, and AlmaLinux have also released patches. For systems that cannot be updated immediately, F5 recommends mitigating the flaw by modifying configurations to use named captures instead of unnamed ones.

Update your NGINX installation: Apply the latest patches for your version of NGINX.
Mitigate the flaw: Modify configurations to use named captures instead of unnamed ones.
Monitor your systems: Keep a close eye on your systems for signs of exploitation.

Experts warn that the correct security posture is to assume the existence of a weaponized exploit is inevitable and advise patching as soon as possible. Defense strategies should focus on treating the DoS risk with high priority and applying updates promptly.