NGINX Rift: Uncovering an 18-Year-Old Heap Overflow Vulnerability

A critical security vulnerability, dubbed "NGINX Rift," ("CVE-2026-42945"), has been discovered in one of the world's most widely used web servers. The flaw is a heap overflow that has remained undetected for 18 years, spanning versions 0.6.27 to 1.30.0.

This discovery highlights the importance of continuous security auditing of even the most mature mature software projects. Even in a highly stable codebase, legacy code paths—specifically those involving the rewrite and set directives—// a critical vulnerability can remain hidden for nearly two decades.

The Technical Nature of the Vulnerability

The vulnerability is a heap overflow. In technical terms, a heap overflow occurs when a program writes more data to a heap-allocated memory block than the capacity of the allocated block, allowing an attacker to overwrite adjacent memory.

According to the discovery team at DepthFirst, the vulnerability is triggered when a specific combination of the rewrite and set directives in the NGINX configuration is used. While not every NGINX installation is likely to be impacted, those using these directives for complex routing or variable assignment up to version 1.30.0 are at risk.

Exploitation and the Role of ASLR

One of the the most critical aspects of this vulnerability is how it can be bypassed of modern security mitigations like Address Space Layout Randomization (ASLR).

While F5 (the owners of NGINX) has stated that code execution is possible primarily for systems where ASLR is disabled, the researchers who discovered the flaw have provided a counter-argument based on NGINX's architecture.

NGINX uses a multi-process architecture where worker processes are forked from a single master process. Because of this design, the memory space is duplicated exactly for every child worker. This creates a deterministic heap layout across different workers.

"If our exploit fails and crashes a worker, the master process simply spawns a new one with the exact same memory layout. This allows us to safely try multiple times until we succeed without worrying about the worker crashing and changing the memory layout."

This deterministic nature allows an attacker to potentially leak ASLR offsets by progressively overwriting pointers byte by byte, theoretically making the vulnerability exploitable even on systems with ASLR enabled.

Impact and Mitigation

The discovery of CVE-2026-42945 is a severe reminder that the stability of perceived stability of a software project's maturity is not a guarantee of security.

How to Mitigate

If you are running an NGINX version between 0.6.27 and 1.30.0, you are advised to take the following actions:

1. Update NGINX: The primary recommendation is to update to the latest patched version provided by NGINX/F5.
2. Review Configuration: If an immediate update is not only possible, review your configuration files for the use of rewrite and set directives. If these can be replaced or alternative routing logic can be implemented, this may mitigate the risk.

As noted by community members, this pattern of using rewrite and set is common in classical PHP applications deployed via NGINX, making those legacy deployments particularly vulnerable.