Share
## https://sploitus.com/exploit?id=76C3397C-09F4-5F1E-B0A5-5AC97266BE1B
# CVE-2026-42945 (NGINX Rift) โ€” defensive scanner

Organizations running **NGINX Open Source**, **NGINX Plus**, or NGINX-based ingress/controllers should verify whether they are affected by [CVE-2026-42945](https://nvd.nist.gov/vuln/detail/CVE-2026-42945) and patch or reconfigure before exploitation attempts hit production edges.

This repository provides a **read-only, non-exploit** scanner for authorized defensive use on systems you own or are permitted to test.

## What the vulnerability is

| Item | Detail |
|------|--------|
| CVE | CVE-2026-42945 |
| Name | NGINX Rift |
| Component | `ngx_http_rewrite_module` (heap buffer overflow) |
| Affected versions | NGINX Open Source **0.6.27** through **1.30.0** |
| Fixed versions | **1.30.1**, **1.31.0** (+ vendor backports) |
| CVSS | 9.2 (Critical) |

Exploitation requires a **specific rewrite configuration**:

1. A `rewrite` directive using an **unnamed** PCRE capture (`$1`, `$2`, โ€ฆ) in the replacement
2. The replacement string contains **`?`**
3. Another `rewrite`, `if`, or `set` in the **same** `server`/`location` scope uses that capture

Impact:

- **DoS** (worker crash) is the most realistic outcome and is being exploited in the wild.
- **RCE** is harder and typically requires **ASLR disabled** on the host.

## What this scanner does

| Check | Method |
|-------|--------|
| Version | Local `nginx -v` or passive `Server` header |
| Config trigger | Heuristic parse of `nginx -T` or a config file |
| ASLR (Linux) | `/proc/sys/kernel/randomize_va_space` |
| Guidance | Prioritized remediation steps |

It does **not** send crafted exploit requests or attempt to crash workers.

## Quick start

```bash
cd nginx-cve-2026-42945
chmod +x scan_nginx_rift.py

# Best: run on each NGINX host with sudo
sudo python3 scan_nginx_rift.py --local

# Or scan a full config dump
sudo nginx -T 2>&1 | tee /tmp/nginx-full.txt
python3 scan_nginx_rift.py --local --config /tmp/nginx-full.txt

# Passive remote banner check (version only)
python3 scan_nginx_rift.py --url https://your-site.example/

# JSON for automation
python3 scan_nginx_rift.py --local --json --fail-on high
```

Exit code `1` when risk is **HIGH** or **CRITICAL** (use `--fail-on` to tune CI gates).

## Interpreting results

| Risk | Meaning |
|------|---------|
| **CRITICAL** | Vulnerable version + rewrite pattern matching known trigger |
| **HIGH** | Vulnerable version and suspicious rewrites, or unknown version with likely trigger |
| **MEDIUM** | Vulnerable version, no trigger found in scanned config (still patch) |
| **LOW** | Patched version but risky rewrite patterns remain |
| **INFO** | Patched and no trigger patterns in scanned config |

## Remediation (summary)

1. **Upgrade** to NGINX 1.30.1 / 1.31.0+ or your OS/vendor security package.
2. **Restart** workers after upgrade (`systemctl restart nginx`), not only `reload`.
3. **Audit** full config: `sudo nginx -T` and search rewrite rules with `$1`/`$2` and `?`.
4. **Temporary mitigation**: use **named captures** instead of `$1`, `$2`:

   ```nginx
   # Vulnerable pattern (simplified)
   rewrite ^/api/(.*)$ /internal?migrated=true;
   set $original_path $1;

   # Safer pattern
   rewrite ^/api/(?.*)$ /internal?migrated=true;
   set $original_path $path;
   ```

5. Confirm **ASLR** stays enabled on Linux (`randomize_va_space=2`).
6. Review **Kubernetes ingress**, Helm charts, and generated configs โ€” not only `/etc/nginx/nginx.conf`.

## References

- [NGINX security advisories](https://nginx.org/en/security_advisories.html)
- [NVD โ€” CVE-2026-42945](https://nvd.nist.gov/vuln/detail/CVE-2026-42945)
- [depthfirst โ€” NGINX Rift](https://depthfirst.com/nginx-rift)
- F5 advisory: K000161019

## Legal

Use only on infrastructure you are authorized to assess. Unauthorized scanning may violate policy or law.