NGINX Rift shows how a small rewrite-rule pattern can become a large operational risk. The flaw is not a universal one-request takeover, but exposed NGINX estates should still treat patching and configuration review as urgent.
NVIDIA and Emerald AI are redefining the AI race through electricity, distributed compute and flexible AI factories. The next trillion-dollar infrastructure layer may not be chips alone, but the orchestration of power, grids, micro data centres and the emerging inference economy.
Cerebras’ blockbuster IPO became a live stress test of how much AI risk investors still stomach, blending euphoria, caution and a search for alternatives to Nvidia’s long‑running dominance in the AI hardware race.
NGINX Rift shows how a small rewrite-rule pattern can become a large operational risk. The flaw is not a universal one-request takeover, but exposed NGINX estates should still treat patching and configuration review as urgent.
NGINX is facing renewed scrutiny after the disclosure of a configuration-dependent vulnerability that exposes a long-overlooked attack surface in web infrastructure. The issue, tracked as CVE-2026-42945 and referred to as NGINX Rift, affects both NGINX Open Source and NGINX Plus through a flaw in the ngx_http_rewrite_module.
At its core, the vulnerability is a heap-based buffer overflow triggered under specific rewrite rule conditions. According to F5, exploitation requires a combination of directives, including a rewrite followed by another rewrite, if, or set directive, alongside the use of unnamed PCRE captures such as $1 or $2. If these are paired with a replacement string containing a question mark, a specially crafted HTTP request can corrupt memory within an NGINX worker process. This can result in worker crashes and service disruption. In environments where Address Space Layout Randomisation is disabled, the risk escalates to potential remote code execution.
What makes this disclosure notable is not just the technical detail, but its age and reach. Security researcher depthfirst, who reported the issue, describes it as an 18-year-old flaw embedded in widely deployed configurations. Because NGINX often operates at the front line of web infrastructure, handling inbound traffic before it reaches application layers, even niche configuration weaknesses can have broad exposure.
The US National Vulnerability Database classifies the issue as CWE-122, a heap-based buffer overflow, and assigns a CVSS 3.1 score of 8.1, placing it in the high severity category. F5, acting as the CNA, has also issued its own advisory with a critical rating under CVSS v4, signalling elevated concern for certain deployment scenarios.
This vulnerability highlights a persistent blind spot in enterprise security. Many organisations focus on patching software versions but pay less attention to configuration logic, particularly in mature and trusted components like NGINX. Because the flaw can be triggered remotely over HTTP and sits in a widely used module, it increases the risk profile of otherwise stable deployments.
It also reinforces a broader trend in modern exploitation, where attackers target edge infrastructure and misconfigurations rather than relying solely on newly introduced bugs. For organisations running NGINX, especially in high-traffic or internet-facing roles, reviewing rewrite rules and configuration patterns is now a necessary defensive step.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
The US-Iran conflict has triggered an unprecedented surge in cyberattacks. Between February 28 and March 20, DDoS attacks in the Middle East increased eightfold, with StormWall recording 2,000 to 3,000 attacks per minute at peak intensity.
Instructure has confirmed that a criminal threat actor accessed Canvas user information and messages, while ShinyHunters claims a far larger education-sector data haul affecting millions of students, teachers, and institutions worldwide.
Trellix says attackers gained unauthorised access to part of its source code repository, but has found no evidence that its release pipeline was affected or that code was exploited.
The UK’s 2025/2026 Cyber Security Breaches Survey shows 43% of businesses and 28% of charities reported a cyber incident in the past year. The headline is not just persistence; it is operational exposure. Phishing remains the dominant route in, education is absorbing heavier pressure, and supplier-r
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
