F5 patches 18-year-old AI-found 'Rift' vulnerability in NGINX web server

F5, the company supporting the world's most popular web server NGINX, has issued patches for a critical memory corruption bug causing a heap buffer overflow, that could potentially be abused for remote code execution in vulnerable systems.

Researchers at code vulnerability analysis firm Depthfirst analysed the source code for NGINX using their artificial intelligence (AI) scanner and found the critical vulnerability rated as 9.2 out of 10 on the Common Vulnerability Scoring System (CVSS) 4.0 in the NGINX rewrite module.

It requires rewrite and set directives to trigger, a specific configuration commonly used in PHP front controllers, WordPress permalinks and application programming interface (API) gateways bridging public links to internal endpoints.

The security vendor has published a proof-of-concept on GitHub for the vulnerability, which it has named NGINX Rift and is indexed as CVE-2026-42945.

Enterprise Linux distribution vendor AlmaLinux noted that turning the PoC into a ready to use remote code execution (RCE) exploit is not trivial, as Depthfirst turned off memory address space layout randomisation (ASLR) for its code.

ASLR is a memory corruption protection measure that is enabled by default in every modern operating system; turning it off makes the heap layout unpredictable.

While RCE is not impossible to achieve, on systems with ASLR on by default, the reliable outcome of the bug is a worker process crash which amounts to a denial of service attack.

Affected versions include NGINX Open Source 0.6.27 to 1.30.0, with the fixed versions being 1.30.1 and 1.31.0.

NGINX Plus R32 to R36 are also vulnerable; fixed versions include R32 P6, R35 P2 and R36 P4.

Depthfirst also found other memory corruption bugs, including one rated as high (8.3/10) and two other medium severity ones.

NGINX has around a third market share of the world's web servers, with many of the internet's most popular sites using it.