A critical heap buffer overflow vulnerability, CVE-2026-42945 (CVSS 3.1: 8.1), in the NGINX `ngx_http_rewrite_module` allows remote code execution or denial-of-service via crafted HTTP requests that exploit a specific configuration pattern with rewrite directives. The flaw affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. Patches were released on April 21, 2026, and immediate upgrades or configuration workarounds are recommended.
Vulnerability Management Critical ‘NGINX Rift’ vulnerability discovered, present for 18 years May 14, 2026 Share By SC Staff (Adobe Stock) As reported by Security Affairs, a critical heap buffer overflow vulnerability, named NGINX Rift and tracked as CVE-2026-42945, has been discovered in NGINX Plus and NGINX Open Source, remaining undetected for eighteen years. The vulnerability, with a CVSS v4 score of 9.2, resides in the ngx_http_rewrite_module and affects a significant portion of internet infrastructure due to NGINX's widespread use as a reverse proxy, load balancer, and more. NGINX Rift is triggered by a specific configuration pattern involving rewrite directives with unnamed PCRE capture groups and a question mark in the replacement string, followed by another directive. This leads to a heap overflow where the write operation extends beyond the allocated buffer, allowing attackers to control the memory corruption through crafted HTTP requests. Exploitation can lead to remote code execution or denial-of-service by crashing worker processes. The flaw affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36, along with various F5 and NGINX products. Patches were released on April 21, 2026. While no exploitation in the wild has been reported, immediate upgrades or configuration workarounds are recommended. Source: Security Affairs SC Staff Related Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Vulnerability Management Two vulnerabilities found in popular WordPress plugin Avada Builder SC Staff May 14, 2026 The vulnerabilities, disclosed by Wordfence, include an arbitrary file read flaw (CVE-2026-4782) requiring subscriber-level access and a high-severity SQL injection flaw (CVE-2026-4798) exploitable without authentication. Vulnerability Management Critical Exim vulnerability allows remote code execution SC Staff May 14, 2026 The vulnerability, a user-after-free flaw, occurs during the TLS shutdown process when handling chunked SMTP traffic. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds