F5 patches critical NGINX vulnerability that could crash web server processes

Around one in three websites on the internet runs on NGINX. That market share is exactly what makes a critical vulnerability in the web server worth paying close attention to, and one surfaced recently that system administrators running affected versions need to address without delay.

F5, the company behind NGINX, released patches this week after researchers at Depthfirst discovered a memory corruption bug in the NGINX rewrite module. The flaw, now tracked as CVE-2026-42945 and named NGINX Rift, scored 9.2 out of 10 on the CVSS 4.0 severity scale. Depthfirst found it using an AI-powered source code scanner, which flagged the heap buffer overflow hiding inside a module that a significant portion of production NGINX deployments actively use.

The configuration that triggers the vulnerability is not obscure. It requires rewrite and set directives, which appear regularly in PHP front controllers, WordPress permalink setups, and API gateways routing public traffic to internal endpoints. In other words, this is not an edge case configuration. Many live production environments meet the conditions.

The practical risk depends on the target system. On servers where memory address space layout randomisation runs by default, which covers virtually every modern operating system, converting the bug into reliable remote code execution is technically difficult.

AlmaLinux noted that Depthfirst disabled ASLR when developing its proof-of-concept, which makes the heap layout predictable in ways production environments typically do not allow. Without that, the most consistent outcome is a worker process crash, which amounts to a denial of service rather than a full system compromise. Remote code execution remains theoretically possible, but not straightforward to pull off reliably.

That distinction matters for prioritization, though it does not make patching optional. Depthfirst also identified three additional memory corruption bugs in the same research, including one rated at 8.3 out of 10 and two medium-severity findings.

Affected versions cover NGINX Open Source from 0.6.27 through 1.30.0. Fixed versions are 1.30.1 and 1.31.0. For NGINX Plus, versions R32 through R36 carry the vulnerability, with fixes available in R32 P6, R35 P2, and R36 P4.

Given how widely NGINX underpins web infrastructure globally, administrators running affected versions should treat this update as time-sensitive.

 

 

 

 

Top