A significant security vulnerability identified as CVE-2026-42945, commonly referred to as Nginx Rift, has been discovered in the widely used open-source web server software NGINX. This flaw, categorized as a heap-based buffer overflow, affects NGINX Open Source versions from 0.6.27 to 1.30.0, NGINX Plus versions R32 to R36, and several F5 products like the NGINX Ingress Controller and F5 WAF for NGINX. The vulnerability allows attackers to create a denial-of-service condition by exploiting specific configurations involving rewrite directives with unnamed regular expression capture groups.

An estimated 5.7 million web servers are potentially vulnerable to this flaw according to a Censys query conducted by VulnCheck. Although remote code execution is not the primary concern due to the requirement to disable Address Space Layout Randomization, the denial-of-service threat remains significant. F5 has taken steps to address the issue by releasing patches for NGINX Open Source versions 1.31.0 and 1.30.1 as well as NGINX Plus versions R36 P4 and R32 P6. Ubuntu, Debian, and AlmaLinux have also issued patches.

For systems that cannot be updated immediately, F5 recommends configuration changes to use named captures instead of unnamed ones to mitigate risks. Security experts emphasize the importance of applying these updates promptly to prevent potential disruptions. The general consensus is that assuming the existence of a weaponized exploit is prudent, and proactive measures should be prioritized to safeguard systems.