Critical vulnerability disclosed in NGINX web server

Security researchers at Picus Security have detailed a critical vulnerability found in the widely-used NGINX web server. Designated CVE-2026-42945 and dubbed NGINX Rift, the flaw is a heap buffer overflow with a critical CVSS score of 9.2, and it had reportedly been present in the codebase for 18 years before its disclosure on May 13, 2026.

NGINX serves as a foundational component for a significant portion of the internet, powering an estimated one-third of all websites. This widespread deployment means that a vulnerability like NGINX Rift carries substantial implications for global organizations, as it targets a critical point in the network infrastructure that often faces external requests directly.

Picus Security's analysis indicates the vulnerability resides within NGINX's URL rewriting functionality (ngx_http_rewrite_module). An unauthenticated remote attacker could potentially exploit this by sending specially crafted HTTP requests, leading to memory corruption and subsequent remote code execution. The security firm noted that the vulnerability affects not only the open-source NGINX but also commercial products such as NGINX Plus and various F5 Web Application Firewall (WAF) solutions that incorporate NGINX.

Alongside NGINX Rift, Picus Security also identified three other vulnerabilities disclosed on the same date: CVE-2026-42946 (Denial of Service), CVE-2026-40701 (Use-after-free), and CVE-2026-42934 (Out-of-bounds read). The company provided technical details on the exploit mechanism for CVE-2026-42945 and offered guidance on mitigation strategies, including configuration reviews and monitoring for suspicious network traffic.

Organizations utilizing NGINX are strongly advised to review their configurations for susceptible rewrite rules and apply necessary security updates promptly to address these risks. The firm also suggests monitoring for unusual URL patterns and heavily encoded payloads as potential indicators of exploitation attempts.