The first in-the-wild attacks exploiting a critical-severity NGINX vulnerability patched last week have occurred over the weekend, VulnCheck warns.
Tracked as CVE-2026-42945 (CVSS score of 9.2) and dubbed Nginx Rift, the flaw is described as a heap buffer overflow in the ngx_http_rewrite_module component. It lurked in the NGINX code for 16 years.
Shortly after F5 released patches for the bug, Depthfirst published technical details and proof-of-concept (PoC) code targeting it. Now, VulnCheck says threat actors are already exploiting the issue in attacks.
“We’re seeing active exploitation of CVE-2026-42945 in F5 NGINX, a heap buffer overflow affecting both NGINX Plus and NGINX Open Source on VulnCheck Canaries just days after the CVE was published,” VulnCheck researcher Patrick Garrity warned.
The security defect exists because the script engine relies on a two-pass process to calculate the buffer size and copy data to it, and because the internal engine state changes between these passes. In certain conditions, an unpropagated flag results in attacker-supplied data being written past the heap boundary.
On default deployments, successful exploitation of the CVE would trigger a server restart, causing a denial-of-service (DoS) condition. If Address Space Layout Randomization (ASLR) is disabled, the vulnerability can lead to remote code execution (RCE).
As VulnCheck points out, the bug can be exploited remotely, without authentication, via crafted HTTP requests, but requires a specific rewrite configuration.
While crashing the NGINX worker process is fairly trivial with a single crafted request, achieving RCE is more difficult, as most deployments have ASLR enabled by default.
“Our Censys query surfaces roughly 5.7M internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is likely to be a much smaller subset of those,” VulnCheck says.
The vulnerability demands urgent attention, security researchers warn. Wider exploitation attempts against vulnerable deployments are to be expected, especially since the public PoC can be used to disable ASLR and achieve RCE.
Related: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Related: Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026
Related: New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks
Related: Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks
