NGINX Rift (CVE‑2026‑42945) is a critical remote‑code‑execution bug in NGINX’s rewrite module that attackers can trigger with crafted HTTP requests against vulnerable versions and configs.
In practice, it becomes dangerous when rewrite rules use unnamed regex captures like $1, $2, include a ? in the target, and are followed by another rewrite/if/set in the same block. This combination leads to a heap buffer overflow inside the worker process, which can be steered toward RCE.
To mitigate, you should upgrade NGINX/Open Source and NGINX Plus to the fixed releases (1.30.1/1.31.x and the corresponding Plus patches), restart all workers, and review your configuration. Replace unsafe rewrites using $1, $2, … with named captures like $user_id, and avoid risky rewrite chains where possible. Until you can patch, focusing on those rewrite rules plus basic WAF rules and monitoring for strange URIs and worker crashes can significantly reduce exposure.