🚨 New nginx CVE: CVE-2026-42945, aka "NGINX Rift." Heap buffer overflow in ngx_http_rewrite_module. ~18-year-old bug. Unauthenticated. One crafted HTTP request. CVSS 9.2 Critical. If you run nginx in front of PHP / WordPress / API gateways, read on 🧵

Root cause: a size mismatch between two passes over the rewrite replacement string. If a rewrite uses an unnamed capture ($1, $2…) + a ? in the replacement + is followed by another rewrite/if/set, nginx sizes the buffer with one escape method and writes with another.

Chars like +, %, & expand during re-escape → the write runs past the heap allocation, and the overflowing bytes come from the attacker's URI. Worker-crash DoS reproduces on every nginx 0.6.27 → 1.30.0 (+ Plus R32–R36). RCE is harder with ASLR, but it's not impossible.

Mitigation if you can't patch yet: switch unnamed captures ($1) to named ones (?<name>...). Sidesteps the buggy path entirely. Quick audit: grep -RnE 'rewrite[[:space:]].*\$[0-9].*\?' /etc/nginx github.com/DepthFirstDisc… nvd.nist.gov/vuln/detail/CV…