NGINX Rift (CVE-2026-42945): Patched nginx available in testing

[Starburst-David]

A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.

If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.

AlmaLinux's core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.

[overseer]

I think The Register's quote from Kevin Beaumont is spot-on:

Security researcher Kevin Beaumont noted that while the bug is real, modern Linux defaults significantly reduce the likelihood of successful real-world RCE. "Regarding CVE-2026-42945 in nginx – no modern (or even old) Linux distribution runs nginx without ASLR," Beaumont said. "So, cool, sweet technical vuln – it's valid – but the RCE apocalypse ain't coming."
Modify message