A critical 18-year-old buffer overflow flaw, tracked as CVE-2026-42945 and dubbed NGINX Rift, has been uncovered in NGINX, the world's most widely deployed web server. This vulnerability, assigned a CVSS v4 score of 9.2, affects both NGINX Plus and NGINX Open Source, and has been lurking undetected in the codebase for nearly two decades. The heap buffer overflow vulnerability was disclosed by security researchers at depthfirst1, and its implications are far-reaching. Given the ubiquity of NGINX, the likelihood of exploitation is high, making it essential for practitioners to prioritize mitigation based on their exposure and evidence of exploitation. The disclosure of CVE-2026-42945 significantly expands the active attack surface, making it a pressing concern for organizations relying on NGINX. So, practitioners should promptly assess their vulnerability to NGINX Rift and take corrective action to prevent potential attacks.
NGINX Rift: an 18-year-old flaw in the world’s most deployed web server just came to light
⚡ High Priority
Why This Matters
CVE-2026-42945 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- SecurityAffairs. (2026, May 14). NGINX Rift: an 18-year-old flaw in the world’s most deployed web server just came to light. *SecurityAffairs*. https://securityaffairs.com/192132/hacking/nginx-rift-an-18-year-old-flaw-in-the-worlds-most-deployed-web-server-just-came-to-light.html
Original Source
SecurityAffairs
Read original →