CVE-2026-42945: 18-Year-Old NGINX Rewrite Flaw May Enable Unauthenticated RCE

NGINX Rift (CVE-2026-42945) is an 18-year-old heap-buffer-overflow in ngx_http_rewrite_module reachable via crafted HTTP requests against rewrite rules that use unnamed PCRE captures with a replacement containing '?' followed by another rewrite/if/set; it can cause worker crashes (DoS) and, under certain conditions, remote code execution. Affected releases include NGINX Open Source 0.6.27–1.30.0 and NGINX Plus R32–R36; mitigations are to upgrade to fixed releases (1.30.1/1.31.0 or patched Plus builds), restart NGINX, audit configurations for the vulnerable pattern, and use named captures as a temporary workaround.