NGINX Rift Is An 18-Year-Old Heap Overflow Being Exploited Right Now. Here Is How To Hunt It In Your Logs Tonight.

CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in the ngx_http_rewrite_module that has been sitting in the codebase since NGINX 0.6.27. That is 2008. The vulnerability is rated CVSS 9.2 and affects every release from 0.6.27 through 1.30.0. Exploitation in the wild has been confirmed this week. The patch shipped May 13, 2026. If you have not deployed it yet, the rest of this post is what to look for in your logs while you finish the change-management ticket.

What Triggers The Bug

The flaw is a size-mismatch between two passes over a rewrite replacement string. When a rewrite directive uses an unnamed PCRE capture, the variables that look like dollar-sign-one, dollar-sign-two, and so on, and the replacement contains a question mark, and the directive is followed by another rewrite, an if, or a set directive, NGINX computes the destination buffer size using one escaping method but writes the result using a different one. Characters that re-escape during the write pass — plus signs, percent signs, ampersands — expand mid-write and run past the end of the allocation.

The public exploitation payload reported by multiple researchers this week is 349 bytes of safe URI padding followed by 2,000 URI-escapable characters — heavily front-loaded with plus signs. That arrangement triggers a deterministic 4,000-byte heap overflow against any vulnerable rewrite rule that fits the configuration shape above. Denial of service is universal. Remote code execution is conditional — it requires ASLR to be disabled on the target host. ASLR is on by default in every modern Linux build, so the RCE path is narrow, but the DoS path is wide and is the one being abused at scale.

The Configuration Surface To Inventory

Before you hunt the logs, inventory which of your NGINX instances even have the vulnerable shape. The vulnerable shape requires three conditions to hold in the same server or location block.

First, a rewrite directive that uses unnamed PCRE captures — anywhere the replacement string contains dollar-sign followed by a digit, not a named back-reference of the form curly-brace-name-curly-brace.

Second, the replacement string contains a literal question mark.

Third, that rewrite is followed by another rewrite, an if, or a set directive in the same block.

The mitigation, if you cannot patch immediately, is to convert the unnamed captures to named captures — replacing dollar-sign-one with the named-back-reference form, declaring the capture name in the PCRE pattern. That breaks the size-mismatch path because the named-capture escape pass is consistent across the two passes.

Run a grep over your nginx.conf and every file under your conf.d, sites-enabled, and include paths. Look for the substring "rewrite " followed by a regex that contains a parenthesized group, followed by a replacement that contains both a dollar-sign-digit and a question mark. Anywhere that pattern matches and is followed by another rewrite, if, or set within the same block is a vulnerable shape. The patch removes the size-mismatch entirely, but the inventory is still useful — it tells you exactly which routes attackers would have aimed at, which tells you where to look in your access logs.

The Log Signature To Hunt

The exploitation payload is a URI-shaped request body, so it lands in your access logs as an extremely long request URI heavily weighted toward URI-escapable characters. The characteristic shape is roughly 2,000 to 3,000 characters of request URI, with plus signs and percent signs comprising more than half of the URI length, often arriving as the URI portion of a GET or as the query string of a POST.

A first-pass hunt against an Apache-style combined access log is to extract every request URI longer than 1,000 characters and count the ratio of plus signs to total URI length. Anything above 0.4 on a sustained basis — meaning forty percent of the URI is plus signs — is suspicious. The benign URIs that hit this length and density profile are vanishingly rare. The exploitation payloads sit comfortably in the eighty-percent-plus range.

Pair the long-URI hunt with a path-coincidence check. If your rewrite-using location is /search, /redirect, /go, /r, /proxy, or any of the common short-name redirect routes, filter your long-URI hits to those paths. The volume drops by an order of magnitude and the signal-to-noise ratio rises sharply. The attacker is hitting the rewrite rule, not the static-content paths, because static paths do not run the rewrite engine.

For the worker-crash signature, watch your NGINX error logs for SIGSEGV entries near recent access-log spikes of long URIs. A worker that segfaults under the payload restarts in seconds, but the SIGSEGV is logged. Repeated SIGSEGV from the same source IP within a five-minute window is the exploitation receipt. If you see one SIGSEGV every couple of weeks from random IPs that is background noise. Three from the same IP in three minutes is the exploit landing.

The SIEM Translation

In Splunk, the search shape is index of your nginx access logs, where the length of the request URI is greater than 1500 and the count of the literal plus sign in the URI divided by URI length is above 0.4. Group by source IP and ranked by event count desc. The top of that list is your hunt result.

In Elastic Stack, run an Elasticsearch query for nginx access logs filtered on uri.length above 1500 and a regex match where the URI contains an aggressive run of plus signs — twenty or more consecutive plus signs is the cleanest single regex tell. Aggregate by source.ip and review the top buckets.

In a raw access-log grep, the one-liner is to filter for lines where awk reports the seventh field longer than 1,500 characters, pipe to a python or perl that counts the plus signs in field seven and divides by field seven length, sort descending, and review anything above 0.3. On a host with no abuse this returns zero rows. On a host that has been hit this returns a roster of source IPs and the precise minute they hit you.

What To Do With The Hits

If your hunt returns nothing across a representative window — seven days back is sufficient for the wave of in-the-wild activity that started this week — you were either not exposed or were too obscure to be on this week's target list. Either way, patch and move on.

If your hunt returns hits, the question is whether the worker survived. A worker that crashed is an attempted exploitation. A worker that did not crash but logged the long-URI pattern is reconnaissance — an attacker fingerprinting your version before deciding whether to commit the heavier payload. Both are worth a same-day patch and a same-day IP block. If your environment has ASLR explicitly disabled — older containers, certain hardened-but-historical builds, some embedded NGINX deployments — the same hits are an RCE attempt and the response posture changes to incident response, not patch-and-block.

What This Closes

The technical lesson is that an eighteen-year-old escape-pass mismatch survived in the most widely deployed web server on the internet because nobody fuzzed the rewrite engine against the exact combination of unnamed captures, question marks, and the follow-on directive class. The disclosure history of CVE-2026-42945 is short — the researchers found it, reported it, NGINX patched it within the standard window, and the in-the-wild exploitation began within days of the patch announcement, which is the now-normal pattern. The defenders who patched on May 13 are clean. The defenders who deferred patching to next month's window are not.

The hunt above is what to run between now and the patch deployment. The log signature is durable through the next round of payload variants because the size-mismatch shape forces the heavy plus-sign density regardless of which exact bytes the attacker chooses. Any payload that triggers the bug must look like the payload above. The defenders who can find it in their logs can find every variant.

The DugganUSA threat-intelligence feed indexed our own first two CVE-2026-42945-adjacent indicators this week, both tagged SmartLoader-family. The dedicated CVE-2026-42945 cluster is still small in our corpus, which means the wave is still cresting, not breaking. That is the window. Hunt it tonight.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com