|
Getting your Trinity Audio player ready...
|
Overview
On May 13, 2026, researchers disclosed “NGINX Rift,” a critical vulnerability chain discovered by DepthFirst AI. The chain consists of four remote memory corruption issues, the most severe of which has existed in the NGINX codebase since 2008. Together, these flaws allow unauthenticated remote attackers to crash worker processes, leak memory, or achieve full Remote Code Execution (RCE) by exploiting deterministic heap layouts.
The Threat: A Four-CVE Chain
While the headlines focus on the RCE, the Rift discovery actually involves a suite of vulnerabilities that affect different NGINX modules and stages of request processing. An attacker can weaponize these individually or in sequence to compromise the web server.
| CVE ID | Severity | Description & Impact |
|---|---|---|
| CVE-2026-42945 | Critical (9.2) | Heap Buffer Overflow: A state mismatch in the script engine during rewrite and set sequences. Results in unauthenticated RCE. |
| CVE-2026-42946 | High (8.3) | Excessive Memory Allocation: A logic error in ngx_http_scgi_module and uwsgi_module causes a ~1 TB allocation request, crashing worker processes (DoS). |
| CVE-2026-40701 | Medium (6.3) | Use-After-Free (UAF): A race condition in ngx_http_ssl_module where asynchronous OCSP resolution dereferences a freed pointer if the connection closes early. |
| CVE-2026-42934 | Medium (6.3) | Out-of-Bounds (OOB) Read: An off-by-one error in ngx_http_charset_module allowing attackers to read data before the allocated buffer via incomplete UTF-8 sequences. |
Real-World Impact
The NGINX Rift chain transforms standard web server operations into high-impact entry points. Because NGINX is the most popular web server globally, often acting as a reverse proxy, the exposure is massive:
- Unauthenticated RCE: The primary vulnerability (CVE-2026-42945) is triggered by common API gateway patterns—specifically those utilizing rewrite for request routing alongside set for URI logging or variable assignment.
- Reliable Exploitation: NGINX’s multi-process architecture uses a deterministic heap layout. If an exploit attempt crashes a worker, the master process spawns a replacement with the exact same memory layout, allowing for “safe” brute-forcing of ASLR.
- Information Leakage & DoS: The OOB read and excessive allocation issues provide attackers with primitives to leak sensitive memory or take down service availability.
Technical Breakdown of the RCE (CVE-2026-42945)
The RCE is achieved through a “two-pass” script execution failure:
- Pass 1 (Length Calculation): NGINX calculates memory for a variable. If a rewrite flag is set, a sub-engine incorrectly calculates the length based on unescaped data.
- Pass 2 (Execution/Copy): The main engine—still holding the is_args flag—performs URI escaping during the copy. This expands characters (e.g., ‘+’ to ‘%2B’), writing 3 bytes into a 1-byte slot.
- Corruption: The overflow overwrites the cleanup pointer in the ngx_pool_t structure. By spraying POST bodies (which can contain null bytes) to create a fake structure, attackers redirect execution to system() when the connection closes.
Immediate Recommendations
- Update NGINX Immediately: Move to NGINX Open Source 1.30.1+ or NGINX Plus R37+ (refer to F5/NGINX advisories for specific version mapping).
- Review Configurations: Scan for rewrite directives that modify URI arguments followed by set directives.
- Deployment Strategy: Ensure NGINX worker processes are running with the least possible privileges to mitigate the impact of a successful RCE.
How XM Cyber Can Help
Our R&D teams are working diligently to quickly add support for NGINX Rift and the four distinct CVEs related to the chain in our Vulnerability Risk Management (VRM), External Attack Surface Management (EASM) and Continuous Exposure Management (CEM) modules. Once completed the platform will provide robust support for security teams looking to understand their exposure to each related CVE and how they can be chained with other exposures to move laterally across your environment and compromise your critical assets.
