🚨 New nginx CVE: CVE-2026-42945, aka "NGINX Rift." Heap buffer overflow in ngx_http_rewrite_module. ~18-year-old bug. Unauthenticated. One crafted HTTP request. CVSS 9.2 Critical. If you run nginx in front of PHP / WordPress / API gateways, read on 🧵

Root cause: a size mismatch between two passes over the rewrite replacement string. If a rewrite uses an unnamed capture ($1, $2…) + a ? in the replacement + is followed by another rewrite/if/set, nginx sizes the buffer with one escape method and writes with another.

Chars like +, %, & expand during re-escape → the write runs past the heap allocation, and the overflowing bytes come from the attacker's URI. Worker-crash DoS reproduces on every nginx 0.6.27 → 1.30.0 (+ Plus R32–R36). RCE is harder with ASLR, but it's not impossible.