vulnerabilitycritical

NGINX Rift: 18-Year-Old RCE Vulnerability Explained

A critical 18-year-old flaw, codenamed NGINX Rift, has been identified in the ngx_http_rewrite_module. Learn how this vulnerability impacts your NGINX deployments and the steps needed to secure your infrastructure.

Published: May 22, 2026Source date: May 21, 2026

NGINX Rift: 18-Year-Old RCE Vulnerability Explained

Key Takeaways

NGINX Rift is an 18-year-old heap buffer overflow vulnerability in the ngx_http_rewrite_module.
The vulnerability allows for unauthenticated DoS and potential RCE if ASLR is disabled.
Configurations using rewrite, if, or set directives with PCRE captures are at specific risk.
Proactive assessment of your web infrastructure is critical to mitigating exposure to this flaw.

How to Defend Against Similar Threats

Audit all NGINX configuration files for the identified directive patterns involving PCRE captures.
Implement vendor-provided patches for NGINX Plus and NGINX Open Source immediately.
Ensure ASLR is enabled across all production server environments as a baseline defense.
Engage with security specialists to conduct a comprehensive vulnerability assessment of your internet-facing assets.

Threat Intel FAQ

What is the primary risk associated with the NGINX Rift vulnerability?

The primary risks are denial-of-service due to NGINX worker process restarts and, in specific environments where Address Space Layout Randomization (ASLR) is disabled, the potential for remote code execution by an unauthenticated attacker.

How can I verify if my NGINX instance is vulnerable?

Organizations should review their NGINX configuration files for the combination of rewrite directives with 'if' or 'set' statements that use unnamed PCRE captures followed by strings containing a question mark. Consulting the official F5 security advisory is the recommended starting point for technical verification.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.