NGINX Rift: What SRE Teams Should Patch Today
If your edge stack depends on NGINX, this is worth checking today. The disclosure from depthfirst describes an 18 year old bug in ngx_http_rewrite_module that can be triggered through crafted HTTP requests when certain rewrite patterns are present.
What is NGINX Rift?
NGINX Rift is CVE-2026-42945, a critical vulnerability with a CVSS v4.0 score of 9.2. According to the disclosure, the flaw lives in the rewrite engine and appears when a rewrite directive uses unnamed regex captures like $1, the replacement string contains a question mark, and another rewrite, if, or set directive follows in the same scope.
That combination causes NGINX to calculate buffer length with one escaping assumption and copy data with another. The result is a deterministic heap overflow in the worker process.
Affected software includes NGINX Open Source 0.6.27 through 1.30.0, NGINX Plus R32 through R36, and several NGINX-based products such as Ingress Controller and Gateway Fabric.
Why SRE Teams Should Care
This issue sits on the data plane, not just the control plane. If a public endpoint reaches a vulnerable NGINX instance, an attacker can send crafted requests without authentication.
That matters for SRE teams because the blast radius can include:
- internet-facing reverse proxies
- Kubernetes ingress layers built on NGINX
- shared edge clusters serving many apps
- WAF and gateway products that embed affected NGINX versions
Even if you do not hit full remote code execution, repeated crashes can still create an ugly availability problem.
How To Check Your Exposure
First, verify your NGINX version:
nginx -v
Then inspect your config for risky rewrite patterns that use unnamed captures and a ? in the replacement string:
grep -R "rewrite .*\\$1.*?\|rewrite .*\\$2.*?" /etc/nginx
A vulnerable pattern looks like this:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;
A safer temporary rewrite uses named captures instead:
rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;
Remediation
The best fix is to upgrade. The disclosure lists 1.30.1 and 1.31.0 as fixed NGINX Open Source releases, with patch releases for affected NGINX Plus branches.
A practical response plan for operations teams is:
- patch internet-facing NGINX first
- review ingress and gateway products that bundle NGINX
- replace unnamed captures with named captures where needed
- restart workers after upgrade so the patched binary is active
- add version and config checks to your fleet audit jobs
Conclusion
NGINX Rift is the kind of bug SRE teams cannot ignore because it lives at the front door of production. Check versions, audit rewrite rules, and patch exposed systems before this turns into a noisy incident.
For teams that want faster incident detection and guided remediation across edge services, Akmatori helps SRE teams automate investigation, triage, and response workflows with AI agents while keeping humans in control of production actions.