NGINX: DoS vulnerability is being attacked

In the ngx_http_rewrite_module of NGINX Open Source and NGINX Plus, a vulnerability allows unauthenticated attackers from the network to disable servers. In special cases, they could even inject and execute malicious code. Initial attacks have already been observed.

A security advisory from F5 discusses the vulnerability. The vulnerability in the rewrite module can be exploited if a rewrite directive is followed by a rewrite, if, or set directive and a Perl-compatible regular expression that performs a substitution with an expression containing a “?” within it. Attackers from the network can then trigger a heap-based buffer overflow in the NGINX worker process without prior authentication using manipulated packets, leading to a restart (Denial of Service, DoS). In the unlikely event that Address Space Layout Randomization (ASLR) is disabled, this can even lead to the execution of injected code (CVE-2026-42945, CVSS 8.1, risk “high”; CVSS4 9.2, risk “critical”). The more modern vulnerability assessment leads to a higher risk rating.

The vulnerability is well-established; the responsible code has passed the age of majority; it's 18 years old. A Proof-of-Concept Exploit (PoC) demonstrates the exploitation of the “NGINX Rift” vulnerability. VulnCheck states on LinkedIn that active exploitation of the vulnerability in the wild has now been observed. Typically, this leads to a DoS against vulnerable servers, of which, according to VulnCheck, 5.7 million are reachable on the internet.

Further vulnerabilities in NGINX OSS and Plus

Several other vulnerabilities have been discovered in NGINX OSS and Plus, but they have a significantly lower risk rating. In the HTTP/3 QUIC module, there is a spoofing vulnerability (CVE-2026-40460, CVSS 6.5, risk “medium”). ngx_http_scgi_module and ngx_http_uwsgi_module can excessively consume memory or disclose data (CVE-2026-42946, CVSS 6.5, risk “medium”). Further vulnerabilities affect the HTTP/2 proxy mode (CVE-2026-42926, CVSS 5.8, risk “medium”), the ngx_http_charset_module (CVE-2026-42934, CVSS 4.8, risk “medium”), and the ngx_http_ssl_module (CVE-2026-40701, CVSS 4.8, risk “medium”).

Not all vulnerabilities impact all NGINX OSS and Plus versions, but the latest versions are equipped with fixes for the vulnerabilities they contain. F5 names NGINX Plus versions 37.0.0, R36 P4 and R32 P6, NGINX Open Source 1.31.0 and 1.30.1 (0.xer versions do not receive a fix), and others that patch the security-relevant errors. However, F5 does not yet have fixes available for several solutions, including NGINX Instance Manager, NGINX App Protect WAF, and others. For the vulnerability already being exploited, F5 also mentions adjustments for rewrite rules in the advisory that do not exhibit the vulnerabilities.

More recently, vulnerabilities in the Nginx UI web interface have been noticed. These allowed attackers to take over entire instances, for example.

(dmk)