CVE Research
sekurity-team
InSEKurity of the Week (CW20/2026): NGINX Rift -- 18-Year-Old Rewrite Module Heap Overflow, Unauthenticated DoS & Potential RCE (CVE-2026-42945)
A size-mismatch bug in the NGINX rewrite module lets a remote, unauthenticated attacker overflow the heap with a single crafted HTTP request -- reliable worker crashes for everyone, potential RCE where ASLR is off. CVSS 4.0 9.2, public PoC, exploited in the wild since 2026-05-16, ~5.7M exposed servers
Exploit
01