F5 has released urgent security updates to address a critical remote code execution (RCE) vulnerability in NGINX, one of the world's most widely deployed web servers and reverse proxy solutions.
Tracked as CVE-2026-42945 and nicknamed "NGINX Rift," the vulnerability affects both NGINX Open Source and NGINX Plus. Security researchers warn that successful exploitation could allow unauthenticated attackers to crash vulnerable servers or potentially execute arbitrary code remotely. The flaw has received a critical severity rating and impacts software used by millions of websites and enterprise applications worldwide.
What Is CVE-2026-42945?
CVE-2026-42945 is a heap-based buffer overflow vulnerability located within the NGINX ngx_http_rewrite_module.
According to researchers, the bug stems from a logic mismatch in NGINX's internal script engine. Under specific conditions, NGINX incorrectly calculates memory allocation sizes during URL rewriting operations, leading to a heap overflow when processing specially crafted HTTP requests.
The vulnerability remained hidden in the codebase for approximately 18 years, making it one of the longest-lived critical flaws discovered in a major internet-facing technology platform.
Why This Vulnerability Is Dangerous
The most concerning aspect of the flaw is that it can be exploited remotely without authentication.
An attacker can send specially crafted HTTP requests to a vulnerable NGINX server and potentially:
- Trigger denial-of-service (DoS) conditions
- Crash NGINX worker processes
- Force service restarts
- Corrupt application memory
- Achieve remote code execution under specific conditions
Security researchers demonstrated that memory corruption caused by the vulnerability could be leveraged to gain control over program execution, particularly in environments where additional protections are absent or bypassed.
Affected Products
The vulnerability affects a wide range of NGINX deployments, including:
NGINX Open Source
- Versions 1.0.0 through 1.30.0
NGINX Plus
- Releases R32 through R36
Additional F5 and NGINX products built on vulnerable components may also be impacted, including:
- NGINX Instance Manager
- NGINX App Protect WAF
- F5 WAF for NGINX
- NGINX App Protect DoS
- Various NGINX-based infrastructure deployments
Organizations using NGINX as a reverse proxy, load balancer, ingress controller, or web server should immediately assess their exposure.
How Researchers Discovered the Flaw
One of the most remarkable aspects of this disclosure is how the vulnerability was found.
Researchers from security company DepthFirst reportedly used an AI-assisted vulnerability discovery system to identify multiple previously unknown security flaws in NGINX, including CVE-2026-42945.
The discovery highlights the growing role of artificial intelligence in identifying security weaknesses that have survived years of manual code reviews, penetration testing, and automated scanning.
Security Impact on Enterprises
NGINX powers a significant portion of the internet and is heavily deployed across:
- Cloud environments
- Enterprise applications
- Financial institutions
- Government systems
- SaaS platforms
- Kubernetes infrastructures
Because NGINX frequently sits at the network edge, exploitation could provide attackers with a valuable entry point into enterprise environments.
Cybersecurity teams should prioritize patching internet-facing NGINX instances due to the high severity and widespread deployment of the affected software.
Mitigation and Recommended Actions
F5 has released security updates to address the vulnerability.
Organizations should immediately upgrade to:
Fixed Versions
NGINX Open Source
- Version 1.30.1 or later
NGINX Plus
- R36 P4
- R35 P2
- R32 P6
- Later supported releases
Security teams should also:
- Inventory all NGINX deployments
- Review rewrite configurations
- Monitor logs for suspicious HTTP requests
- Scan for exposed NGINX services
- Apply patches as part of emergency remediation procedures
The Bigger Picture
The discovery of an 18-year-old critical vulnerability in one of the internet's most trusted web servers demonstrates how hidden security flaws can persist for decades.
It also illustrates how AI-assisted security research is changing vulnerability discovery. As artificial intelligence becomes more capable of analyzing large codebases, organizations may see an increase in disclosures involving long-standing vulnerabilities in critical infrastructure software.
For defenders, the lesson is clear: even mature and heavily audited technologies require continuous monitoring, patching, and security assessments.
Conclusion
The disclosure of CVE-2026-42945 serves as a wake-up call for organizations relying on NGINX infrastructure. With the potential for remote code execution and widespread exposure across enterprise environments, security teams should treat this vulnerability as a high-priority patching event.
As threat actors increasingly target internet-facing infrastructure, timely remediation remains the most effective defense against exploitation.
