CVE-2026-42945: Imperva Customers Protected Against Critical NGINX Rewrite Module Vulnerability

Researchers disclosed CVE-2026-42945 (NGINX Rift), a critical heap-based buffer overflow in the ngx_http_rewrite_module affecting NGINX Open Source 0.6.27–1.30.0 and NGINX Plus R32–R36; specially crafted HTTP requests that abuse unnamed PCRE capture groups and replacement strings can trigger heap corruption leading to worker crashes, application-layer denial-of-service, and potential remote code execution. Patched releases (NGINX 1.30.1, 1.31.0+, NGINX Plus R32 P6, R36 P4) are available, and organizations are urged to patch and review rewrite rules; Imperva reports protections for its Cloud and On-Prem WAF customers.