NGINX Rift: An 18-Year-Old Vulnerability Found by AI

An 18-year-old heap overflow in NGINX's rewrite module, discovered by an AI scanner in six hours. F5 shipped patches on May 13 — NGINX 1.31.0 on mainline, 1.30.1 on stable. The flaw is called NGINX Rift (CVE-2026-42945), discovered by security firm depthfirst. Their AI-powered source-code analysis system flagged four memory corruption issues in the NGINX codebase after six hours of scanning. The heap overflow itself was introduced in NGINX 0.6.27 in 2008 and survived in every release through 1.30.0, plus NGINX Plus R32 through R36. The trigger is a configuration pattern depthfirst describes as common: a rewrite directive uses an unnamed PCRE capture ($1, $2, etc.), the replacement string contains a question mark, and that rewrite is followed by another rewrite, if, or set directive in the same scope. NGINX sizes the destination buffer using one set of escaping rules and writes to it using a different set. The result is a heap buffer overflow from a single unauthenticated HTTP request. Bleeping Computer reports the bug can be exploited for remote code execution under certain conditions. depthfirst's published proof-of-concept demonstrates code execution against a system with ASLR turned off. ASLR is on by default on modern systems, so DoS is broadly reachable but RCE on a default install takes more work. Workaround if you can't immediately upgrade: switch unnamed captures to named captures, or restructure so there's no following rewrite, if, or set directive in the same scope. Sources: depthfirst writeup: https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability F5 advisory: https://my.f5.com/manage/s/article/K000161019 Bleeping Computer: https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/ PoC: https://github.com/depthfirstdisclosures/nginx-rift More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #nginx #homelab