(Image: heise online / dmk). NGINX Open Source and NGINX Plus from F5 contain security vulnerabilities. One is already being attacked and leads to DoS states. In the ngx_http_rewrite_module of NGINX Open Source and NGINX Plus, a vulnerability allows unauthenticated attackers from the network to take servers offline. In special cases, they could even inject and execute malicious code. First attacks have already been observed.
A security advisory from F5 [1] discusses the vulnerability. The flaw in the Rewrite module can be exploited when a rewrite, if, or set directive is followed by a Perl-compatible regular expression that performs replacement with an expression containing a “?” in it. Then attackers from the network can trigger a heap-based buffer overflow in the NGINX worker process without prior authentication using manipulated packets, leading to a restart (Denial of Service, DoS). In the unlikely event that Address Space Layout Randomization (ASLR) is disabled, this could even lead to the execution of injected code (CVE-2026-42945 [2], CVSS 8.1, risk “high”; CVSS 4 9.2, risk “critical”). The more modern vulnerability rating results in a higher risk assessment.
The vulnerability has been around for a while: the responsible code has passed the legal age of majority—it has 18 years under its belt [3]. A proof-of-concept exploit (PoC) demonstrates [4] the exploitation of the “NGINX Rift” vulnerability. VulnCheck reports on LinkedIn [5] that it has observed active exploitation of the security flaw in the wild. Typically, this results in a DoS attack against vulnerable servers, of which VulnCheck identifies 5.7 million [6] accessible on the Internet.
Additional vulnerabilities in NGINX OSS and Plus. Further vulnerabilities have been discovered in NGINX OSS and Plus, though they have significantly lower risk ratings. In the HTTP/3-QUIC module, there is a spoofing vulnerability (CVE-2026-40460 [7], CVSS 6.5, risk “medium”). ngx_http_scgi_module and ngx_http_uwsgi_module can consume excessive memory or leak data (CVE-2026-42946 [8], CVSS 6.5, risk “medium”). Additional vulnerabilities affect the HTTP/2 proxy mode (CVE-2026-42926 [9], CVSS 5.8, risk “medium”), the ngx_http_charset_module (CVE-2026-42934 [10], CVSS 4.8, risk “medium”), and the ngx_http_ssl_module (CVE-2026-40701 [11], CVSS 4.8, risk “medium”).
Not all vulnerabilities affect all NGINX OSS and Plus versions, but the latest releases have been equipped with fixes for the vulnerabilities they contain. F5 names the versions NGINX Plus 37.0.0, R36 P4 and R32 P6, NGINX Open Source 1.31.0 and 1.30.1 (0.x versions receive no fix) and others that address the security-relevant errors. For several solutions, however, F5 does not yet have fixes available, such as NGINX Instance Manager, NGINX App Protect WAF, and others. Particularly for the already-attacked vulnerability, F5 does provide in its advisory [12] rewrite rule adjustments that do not have these vulnerabilities.
Recently, security vulnerabilities in the Nginx UI web interface [13] have been more prominent. These allowed attackers to take over entire instances.
(dmk [15]). URL of this article:
https://www.heise.de/-11298217
Links in this article:
https://my.f5.com/manage/s/article/K000161019
https://nvd.nist.gov/vuln/detail/CVE-2026-42945
https://depthfirst.com/nginx-rift
https://github.com/DepthFirstDisclosures/Nginx-Rift
https://www.linkedin.com/posts/patrickmgarrity_cybersecurity-threatintelligence-riskmanagement-share-7461369931851517952-PBjV/
https://docs.vulncheck.com/initial-access/2026-05-15#cve-2026-42945-nginx-ngx_http_rewrite_module-heap-based-buffer-overflow-queries-and-signatures-only
https://nvd.nist.gov/vuln/detail/CVE-2026-40460
https://nvd.nist.gov/vuln/detail/CVE-2026-42946
https://nvd.nist.gov/vuln/detail/CVE-2026-42926
https://nvd.nist.gov/vuln/detail/CVE-2026-42934
https://nvd.nist.gov/vuln/detail/CVE-2026-40701
https://my.f5.com/manage/s/article/K000161019
https://www.heise.de/news/Abermals-kritische-Sicherheitsluecke-in-Nginx-UI-geschlossen-11276012.html
heise security PRO
mailto:dmk@heise.de
Copyright © 2026 Heise Medien
heise security News