Free CVE-2026-42945 scanner to detect NGINX Rift
This free CVE-2026-42945 scanner checks if your target is vulnerable to NGINX Rift.
Active exploitation is confirmed in the wild for this critical heap buffer overflow in NGINX's ngx_http_rewrite_module that's part of every standard NGINX build since 2008.
Because NGINX powers more than 30% of all websites globally and sits at the edge of countless backend systems, any unpatched instance is a target.
See the technical details and mitigation steps below while we prepare a PDF report you can share with your team.
- Scan type
Light scan
This free CVE-2026-42945 scanner checks if your target is vulnerable to NGINX Rift.
Active exploitation is confirmed in the wild for this critical heap buffer overflow in NGINX's ngx_http_rewrite_module that's part of every standard NGINX build since 2008.
Because NGINX powers more than 30% of all websites globally and sits at the edge of countless backend systems, any unpatched instance is a target.
See the technical details and mitigation steps below while we prepare a PDF report you can share with your team.
What is CVE-2026-42945 (NGINX Rift)?
Technical details
CVE-2026-42945 is a critical heap buffer overflow in NGINX's ngx_http_rewrite_module, publicly disclosed on May 13, 2026. The flaw has existed in every standard NGINX build since version 0.6.27, released in 2008, which meant this issue sat undetected for the past 18 years.
The root cause is a size mismatch between two internal passes over a rewrite replacement string. When NGINX processes a rewrite rule that uses rewrite or set directives together with unnamed regex captures ($1, $2, etc.) and the replacement string contains a ? character, it calculates the required buffer size in the first pass, then writes more data than expected in the second pass - overflowing the allocated heap region.
An attacker who sends a crafted HTTP request that triggers this code path can:
- Crash the NGINX worker process (DoS), which auto-restarts - but repeated attacks create a denial-of-service loop.
- Execute arbitrary code on systems where ASLR is disabled or bypassable, achieving full remote code execution with no credentials and no user interaction.
NGINX is the world's most widely deployed web server and reverse proxy - it powers roughly a third of all websites globally and sits at the edge of countless Kubernetes ingress controllers, API gateways, CDN nodes, and load balancers.
A remotely exploitable vulnerability in NGINX does not affect one target; it potentially affects every system that NGINX fronts.
How we detect CVE-2026-42945
Version fingerprinting alone is not sufficient for this CVE.
The vulnerability is only triggered when the running NGINX configuration contains the specific rewrite / set pattern with unnamed captures. That means a version check can both:
- overstate risk when the server runs a vulnerable binary but the trigger pattern is absent.
- understate risk when an old embedded binary in a container is missed by scanners.
Our Network Vulnerability Scanner detects CVE-2026-42945 through version fingerprinting - it identifies the NGINX version running on your target and flags any instance in the vulnerable range (0.6.27-1.30.0 for Open Source) as exposed.
This means findings appear as unconfirmed in your report - consistent with how version-based detections are labelled across the platform. The vulnerability is present in the binary regardless of whether the specific rewrite pattern appears in your configuration; if you're running an unpatched version, upgrading is the right action whether or not the trigger pattern is active.
Note on NGINX Plus: Our detection covers NGINX Open Source. NGINX Plus detection has not yet been validated in our test environment - if you're running NGINX Plus R32-R36, treat this as exposure until patched.
Products affected by CVE-2026-42945
The vulnerability is present in all standard NGINX builds that include ngx_http_rewrite_module - which is compiled in by default.
As a consequence, the following versions are affected:
| Product | Vulnerable range | First patched version |
|---|---|---|
| NGINX Open Source | 0.6.27 - 1.30.0 | 1.30.1 (stable) / 1.31.0 (mainline) |
| NGINX Plus | R32 - R36 | R36 P1 (patch release) |
If you're running Kubernetes, check your ingress controller image separately - many bundle NGINX and do not update it when you update your main NGINX installation. A clean apt upgrade nginx on your servers will not patch a binary baked into a container image.
Note: for NGINX Open Source versions 0.6.27-0.9.7, no backport patch is planned. Upgrade to 1.30.1 or later.
NGINX is also embedded in third-party products including Kubernetes ingress controllers, API gateways, CDN appliances, and vendor-packaged software images. These deployments require separate inventory and patching, so upgrading your primary NGINX installation is not sufficient if embedded copies remain.
CVE-2026-42945 severity
CVE-2026-42945 carries a CVSS v4.0 base score of 9.2 (Critical) and a CVSS v3.1 base score of 9.8 (Critical).
The high scores reflect three factors coming together:
- No authentication required: any unauthenticated remote attacker can trigger the flaw with a single HTTP request.
- No user interaction required: the victim does not need to click anything or take any action.
- Broad attack surface: the vulnerable module is included in every standard NGINX build and the trigger pattern, unnamed captures in rewrite rules, is common in real-world configurations.
Put together: any unpatched, internet-exposed NGINX instance is vulnerable to denial-of-service by anyone with an HTTP client. That's the practical summary to bring to leadership.
How attackers exploit CVE-2026-42945
Exploitation is straightforward:
- No credentials required - unauthenticated exploitation.
- No user interaction required - the attacker does not need to trick anyone into clicking a link.
- Remotely exploitable - any internet-exposed NGINX instance running the vulnerable configuration is at risk. Active exploitation is confirmed in the wild.
- Public PoC available - DepthFirst published a detailed technical writeup and proof-of-concept on the day of disclosure.
The real-world impact of a successful exploit depends on ASLR status:
- ASLR enabled: the attacker can reliably crash the NGINX worker process (DoS). The worker auto-restarts, but repeated crashes create a sustained denial-of-service loop, making the service unreliable and causing requests to fail.
- ASLR disabled: the heap overflow becomes a remote code execution primitive. The attacker can execute arbitrary code as the NGINX worker user, potentially pivot to other services, read secrets from memory, or establish persistence on the host. No public exploit currently demonstrates an ASLR bypass - RCE requires ASLR to be explicitly disabled, which is non-default on modern Linux installations.
Because NGINX typically fronts many services, a compromised NGINX instance can expose every upstream application it proxies, not just the server itself.
CVE-2026-42945 disclosure timeline
| Date | Event |
|---|---|
| April 2026 | DepthFirst runs an AI-powered analysis on the NGINX source code and autonomously detects four remote memory corruption flaws, including CVE-2026-42945. |
| May 13, 2026 | CVE-2026-42945 is publicly disclosed. F5 issues an emergency advisory. Patches released: NGINX Open Source 1.30.1 / 1.31.0, NGINX Plus R36 P1. |
| May 13, 2026 | DepthFirst publishes a detailed technical writeup and proof-of-concept. |
| May 13, 2026 | Active exploitation confirmed in the wild. |
| May 19, 2026 | We add detection for CVE-2026-42945 to the Network Vulnerability Scanner on Pentest-Tools.com. |
How to mitigate CVE-2026-42945
The only complete remediation is upgrading NGINX to a patched version. Vendor advisories are available from F5 / NGINX and NVD. Given indicators of active exploitation are confirmed and a public PoC exists, you may want to treat this as an emergency patch based on your infrastructure and business context.
Upgrade path:
- NGINX Open Source: upgrade to 1.30.1 (stable) or 1.31.0 (mainline).
- NGINX Plus: upgrade to R36 P1.
- Audit container images, Kubernetes ingress controllers, and vendor-packaged appliances separately - embedded NGINX versions require independent patching.
If you cannot update immediately, apply these temporary controls - but understand they are not fixes:
- Rewrite your NGINX config to replace unnamed captures (
$1,$2) with named captures ((?<name>...)) in all affectedrewriteandsetdirectives. F5 documents this workaround in their security advisory. This eliminates the vulnerable code path without upgrading. - Restrict access to NGINX instances from untrusted networks using firewall rules, where operationally feasible.
- Monitor NGINX error logs and worker process restart frequency for unexpected crash patterns that may indicate active exploitation attempts.
Note: The named-capture workaround is config-specific. You must audit every rewrite rule in every server block and every included config file. If you have large or inherited NGINX configurations, the upgrade path is safer and faster than a manual config audit.
CVE-2026-42945 references
CVE-2026-42945 scanner report
Once the scan completes, you'll get a finding that includes:
- the detected NGINX version
- the vulnerable range it falls into
- CVSS score and severity rating
- step-by-step remediation guidance you can action or share directly
You can download it as a PDF and share it with whoever handles remediation.
About our Network Vulnerability Scanner
Our Network Vulnerability Scanner is a well-rounded tool for all your network security assessments.
It combines multiple engines and fine-tuned scan settings that surface more than 17,000 vulnerabilities, misconfigurations, and outdated services.
Each scan automatically updates your attack surface and provides an up-to-date map for planning targeted attacks or strategic lateral movements.
Explore a sample report which includes a vulnerability summary, automatically confirmed findings, evidence, and more.
See what else it can doIn a transparent benchmark, our tool outperformed the 6 most popular network scanners on the market - both open-source and commercial.
FAQs
What is ngx_http_rewrite_module?
ngx_http_rewrite_module is one of the most widely used NGINX modules. It lets administrators define rules that rewrite or redirect incoming URLs at the HTTP server level. For example, redirecting HTTP to HTTPS, canonicalising domain names, or rewriting request URIs before passing them to upstream services.
Because rewrite rules are a standard part of almost every production NGINX configuration, the module is compiled into NGINX by default.
This is precisely what makes CVE-2026-42945 unusually broad: the vulnerable code is present in every standard NGINX build, and the trigger pattern - unnamed captures in rewrite rules - is common in real-world configurations.
What is a heap buffer overflow?
A heap buffer overflow occurs when a program writes more data to a region of heap memory than was allocated for it. The excess data overwrites adjacent memory, which can corrupt internal data structures, crash the process, or - if exploited carefully - allow an attacker to control what gets written and where.
In the case of CVE-2026-42945, the overflow happens in NGINX's worker process during HTTP request processing. At minimum, it crashes the worker, which auto-restarts. On systems where ASLR is disabled, a skilled attacker can use the overflow as a remote code execution primitive.
How widespread is the CVE-2026-42945 exposure?
NGINX powers over a third of all websites globally and is embedded in many more systems as a reverse proxy, load balancer, Kubernetes ingress controller, and API gateway. The affected version range covers virtually every NGINX build released between 2008 and May 2026.
The practical exposure is hard to quantify precisely because NGINX version information is often suppressed from HTTP headers in production.
What is clear is that any NGINX instance running a vulnerable version with the rewrite pattern in its configuration is exploitable by any unauthenticated remote attacker.
Does ASLR protect against CVE-2026-42945?
Partially. ASLR (Address Space Layout Randomization) randomises the memory addresses used by a process, making it harder for an attacker to predict where to write malicious data.
With ASLR enabled, CVE-2026-42945 reliably produces a worker crash (DoS), but full remote code execution requires bypassing ASLR, which is harder.
However, ASLR is not a fix. It raises the bar for exploitation but does not eliminate the vulnerability.
The only complete remediation is patching. Many embedded or container environments also run NGINX with non-default security configurations where ASLR may be disabled.
Why are you offering a free scanner for CVE-2026-42945?
Every day, our team develops tools, detections, and exploits to help security professionals find vulnerabilities before attackers can exploit them.
We know the fight is unfair: security teams follow strict rules, while threat actors do whatever they want. That's why we build free tools like this one - so security teams can validate their exposure quickly, without waiting for a scheduled scan or a costly engagement.
What is the named-capture workaround for CVE-2026-42945?
F5's security advisory includes a configuration-level workaround: replace all unnamed captures ($1, $2) with named captures ((?<name>pattern)) in every affected rewrite and set directive. This eliminates the vulnerable code path.
Rewrite rules live in your nginx.conf file and any files it includes via include directives - typically under /etc/nginx/sites-available/ or /etc/nginx/conf.d/. You need to audit every file in every location.
For example, a vulnerable rule like:
rewrite ^/user/(.+)/profile$ /profile?id=$1 break;
would become:
rewrite ^/user/(?<id>.+)/profile$ /profile?id=${id} break;
Important: The workaround requires a full audit of every rewrite rule in your NGINX configuration, including included files. It is config-specific and easy to miss in large or inherited configurations. Upgrading NGINX is the safer and more complete path.
How do you tell if a website is using NGINX?
The quickest method is checking the HTTP response headers. NGINX typically identifies itself in the Server header - you'll see Server: nginx or Server: nginx/1.x.x in the response. You can inspect this in your browser's developer tools (Network tab, select any request, Headers), or run:
curl -I https://example.com
and look for the Server field in the output.
That said, many production deployments suppress or spoof the Server header to reduce fingerprinting surface. A missing or generic header does not mean NGINX is not running - it may just mean it has been hardened.
What is the difference between NGINX, NGINX Plus, and NGINX One?
Three distinct products are often conflated:
NGINX Open Source is the free, community-maintained web server. It's what most deployments run, and it's what CVE-2026-42945 affects (versions 0.6.27 through 1.30.0).
NGINX Plus is F5's commercial version, adding active health checks, session persistence, JWT authentication, a live monitoring dashboard, and official support SLAs. CVE-2026-42945 also affects NGINX Plus (R32 through R36) because it shares the same ngx_http_rewrite_module codebase.
NGINX One is a separate product entirely - F5's SaaS management and observability platform for NGINX fleets. It's not a web server; it manages and monitors NGINX instances. CVE-2026-42945 is a vulnerability in the NGINX runtime, not in the management plane, so NGINX One itself is not directly affected - but any NGINX Open Source or Plus instances it manages may be.
If you're assessing exposure to CVE-2026-42945, the question to answer is which version of NGINX Open Source or NGINX Plus is running on your servers, not which management tooling sits above it.
What is the NGINX website?
NGINX's official website is nginx.org, where F5 maintains documentation, release notes, and security advisories - including the advisory for CVE-2026-42945 and download links for the patched versions (1.30.1 and 1.31.0).