Sources:
- F5: CVE-2026-42945 - buffer overflow in ngx_http_rewrite_module
- F5: CVE-2026-42926 - HTTP/2 request injection in ngx_http_proxy_module
- F5: CVE-2026-42946 - buffer overread in scgi and uwsgi modules
tldr: Three NGINX vulnerabilities disclosed to F5 in May 2026. CVE-2026-42945, also known as NGINX Rift, is a buffer overflow in ngx_http_rewrite_module that may cause worker crashes, denial of service, and in some conditions remote code execution. CVE-2026-42926 is an HTTP/2 request injection in ngx_http_proxy_module. CVE-2026-42946 is a buffer overread in scgi and uwsgi modules with memory disclosure risk. Fixed in NGINX 1.30.1 and 1.31.0.
Affected versions and systems
| CVE | Impact | Affected | Upgrade to |
|---|---|---|---|
| CVE-2026-42945 (NGINX Rift) | Buffer overflow, worker crash, DoS, potential RCE | 0.6.27–1.30.0 | 1.30.1+, 1.31.0+ |
| CVE-2026-42926 | HTTP/2 request injection, incorrect backend routing | 1.29.4–1.30.0 | 1.30.1+, 1.31.0+ |
| CVE-2026-42946 | Buffer overread, memory disclosure, worker crash | 0.8.42–1.30.0 | 1.30.1+, 1.31.0+ |
What to do
- Upgrade NGINX to 1.30.1 or 1.31.0.
- Review F5 advisories for each CVE for environment-specific guidance.
- Verify ASLR is enabled on systems running NGINX.