CVE-2026-42945: Mitigating a Critical Heap Buffer Overflow Vulnerability in NGINX 

• In May 2026, details emerged regarding a critical vulnerability that is impacting NGINX web servers. The vulnerability, which the security community has dubbed “NGINX Rift,” is officially tracked as CVE-2026-42945.
• The vulnerability stems from a heap buffer overflow that allows an unauthenticated attacker to cause denial of service (DoS) or, potentially, achieve remote code execution (RCE). The vulnerability affects production environments that utilize specific, yet common, configurations of the NGINX rewrite module. 
• Although the maintainers have addressed this issue with patches, many production environments and downstream ecosystem products remain at risk. 
• Akamai has proactively deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.

At the center of the issue is an unauthenticated heap buffer overflow vulnerability within the NGINX HTTP rewrite module (ngx_http_rewrite_module). Specifically, the module mishandles overly long strings or continuous repeating characters when evaluating rewrite rules.

It is important to note that a server is only exploitable if it has a specific configuration trigger. The buffer overflow occurs when the ‘rewrite’, ‘if’, or ‘set’ directives are used under the following two conditions:

1. The configuration uses unnamed PCRE regular expression captures (e.g., $1, $2).
2. The replacement string in the directive contains a question mark (?).

For example, a configuration using ‘rewrite ^/api/(.*)$ /internal?id=$1;’ would be vulnerable.

The NGINX Rift attack works by sending a specially crafted HTTP request containing extensive repeating patterns (such as continuous ‘+’ characters) that bypass standard length checks. 

When the rewrite module processes this input against the vulnerable configuration, it exceeds the allocated heap buffer size, leading to memory corruption. What happens next depends heavily on the server's environment and the complexity of the attack.

• Denial of service (DoS): Attackers can easily leverage this memory corruption to reliably crash the NGINX worker process. A continuous stream of these malicious requests will keep crashing the workers, resulting in sustained DoS.
• Remote code execution (RCE): Escalating this vulnerability to execute arbitrary code is significantly more difficult because of modern operating system defenses, primarily address space layout randomization (ASLR). ASLR acts as a security defense by randomly scrambling the locations of data and code in memory, making it incredibly difficult for an attacker to know exactly where to inject their malicious code. 

To bypass ASLR and successfully achieve RCE, an attacker would need two highly specific conditions to align perfectly:

1. An information leak: The attacker would need a secondary vulnerability or misconfiguration that leaks memory addresses, allowing them to map out the randomized memory space.
2. Precise memory manipulation: The attacker would need to perfectly manipulate the server's memory structure (often called “heap grooming”) right before the overflow occurs, ensuring the corrupted data exactly overwrites the right execution pointers.

Because these RCE conditions are complex and difficult to reliably string together without crashing the process first, DoS remains the most immediate and likely impact in the wild. 

Please note: This vulnerability does not require authentication. An attacker only needs to send a malicious HTTP request to a server that relies on the vulnerable rewrite module directives.

The vulnerability is present in the following core versions of NGINX:

• NGINX Open Source
• NGINX Plus

• Versions 1.0.0 through 1.30.0: Update to version 1.30.1, 1.31.0, or later
• Legacy versions 0.6.27 through 0.9.7: No official patch is planned; manual configuration changes are required to mitigate the risk

• Release 36 (R36 to R36 P3): Update to R36 P4
• Release 32 (R32 to R32 P5): Update to R32 P6
• Releases 33, 34, and 35: No direct patch; you must upgrade to R36 P4 or R37.0.0 (or higher)

Note: Several products that utilize the underlying NGINX engine are also affected and require updates. These include NGINX Ingress Controller, NGINX Gateway Fabric, NGINX Instance Manager, and various other versions.

A new rule within Akamai App & API Protector has been deployed to protect our customers from the latest NGINX threat. Although configuration workarounds exist, the most effective defense will always be to promptly apply the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.

The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.