## https://sploitus.com/exploit?id=76C3397C-09F4-5F1E-B0A5-5AC97266BE1B
# CVE-2026-42945 (NGINX Rift) โ defensive scanner
Organizations running **NGINX Open Source**, **NGINX Plus**, or NGINX-based ingress/controllers should verify whether they are affected by [CVE-2026-42945](https://nvd.nist.gov/vuln/detail/CVE-2026-42945) and patch or reconfigure before exploitation attempts hit production edges.
This repository provides a **read-only, non-exploit** scanner for authorized defensive use on systems you own or are permitted to test.
## What the vulnerability is
| Item | Detail |
|------|--------|
| CVE | CVE-2026-42945 |
| Name | NGINX Rift |
| Component | `ngx_http_rewrite_module` (heap buffer overflow) |
| Affected versions | NGINX Open Source **0.6.27** through **1.30.0** |
| Fixed versions | **1.30.1**, **1.31.0** (+ vendor backports) |
| CVSS | 9.2 (Critical) |
Exploitation requires a **specific rewrite configuration**:
1. A `rewrite` directive using an **unnamed** PCRE capture (`$1`, `$2`, โฆ) in the replacement
2. The replacement string contains **`?`**
3. Another `rewrite`, `if`, or `set` in the **same** `server`/`location` scope uses that capture
Impact:
- **DoS** (worker crash) is the most realistic outcome and is being exploited in the wild.
- **RCE** is harder and typically requires **ASLR disabled** on the host.
## What this scanner does
| Check | Method |
|-------|--------|
| Version | Local `nginx -v` or passive `Server` header |
| Config trigger | Heuristic parse of `nginx -T` or a config file |
| ASLR (Linux) | `/proc/sys/kernel/randomize_va_space` |
| Guidance | Prioritized remediation steps |
It does **not** send crafted exploit requests or attempt to crash workers.
## Quick start
```bash
cd nginx-cve-2026-42945
chmod +x scan_nginx_rift.py
# Best: run on each NGINX host with sudo
sudo python3 scan_nginx_rift.py --local
# Or scan a full config dump
sudo nginx -T 2>&1 | tee /tmp/nginx-full.txt
python3 scan_nginx_rift.py --local --config /tmp/nginx-full.txt
# Passive remote banner check (version only)
python3 scan_nginx_rift.py --url https://your-site.example/
# JSON for automation
python3 scan_nginx_rift.py --local --json --fail-on high
```
Exit code `1` when risk is **HIGH** or **CRITICAL** (use `--fail-on` to tune CI gates).
## Interpreting results
| Risk | Meaning |
|------|---------|
| **CRITICAL** | Vulnerable version + rewrite pattern matching known trigger |
| **HIGH** | Vulnerable version and suspicious rewrites, or unknown version with likely trigger |
| **MEDIUM** | Vulnerable version, no trigger found in scanned config (still patch) |
| **LOW** | Patched version but risky rewrite patterns remain |
| **INFO** | Patched and no trigger patterns in scanned config |
## Remediation (summary)
1. **Upgrade** to NGINX 1.30.1 / 1.31.0+ or your OS/vendor security package.
2. **Restart** workers after upgrade (`systemctl restart nginx`), not only `reload`.
3. **Audit** full config: `sudo nginx -T` and search rewrite rules with `$1`/`$2` and `?`.
4. **Temporary mitigation**: use **named captures** instead of `$1`, `$2`:
```nginx
# Vulnerable pattern (simplified)
rewrite ^/api/(.*)$ /internal?migrated=true;
set $original_path $1;
# Safer pattern
rewrite ^/api/(?.*)$ /internal?migrated=true;
set $original_path $path;
```
5. Confirm **ASLR** stays enabled on Linux (`randomize_va_space=2`).
6. Review **Kubernetes ingress**, Helm charts, and generated configs โ not only `/etc/nginx/nginx.conf`.
## References
- [NGINX security advisories](https://nginx.org/en/security_advisories.html)
- [NVD โ CVE-2026-42945](https://nvd.nist.gov/vuln/detail/CVE-2026-42945)
- [depthfirst โ NGINX Rift](https://depthfirst.com/nginx-rift)
- F5 advisory: K000161019
## Legal
Use only on infrastructure you are authorized to assess. Unauthorized scanning may violate policy or law.