NGINX Rift CVE-2026-42945: An 18-Year-Old Zero-Click RCE Flaw Threatening Every API Gateway in Saudi Finance

On May 13, 2026, F5 issued an emergency advisory for CVE-2026-42945 — a critical heap buffer overflow in NGINX's rewrite module that has existed, undetected, for 18 years. Codenamed NGINX Rift, the flaw allows any remote attacker to execute arbitrary code on a vulnerable server with a single unauthenticated HTTP request. No session, no credentials, no prior access required. For Saudi financial institutions running NGINX as their API gateway or reverse proxy — and most do — this is an immediate, board-level risk.

How NGINX Rift Works: Heap Overflow in the Rewrite Module

The vulnerability resides in ngx_http_rewrite_module, specifically in how NGINX processes unnamed regex captures within rewrite and set directives used together. When a crafted URI triggers a rewrite rule containing unnamed captures, the module miscalculates buffer boundaries and writes beyond the allocated heap region. Security firm DepthFirst discovered the flaw during an April 2026 code audit and traced its origin to NGINX version 0.6.27, released in 2008.

The attack surface is enormous. Any NGINX configuration combining rewrite with set — a pattern found in virtually every API gateway deployment — is exploitable. The attacker needs nothing more than network access to the server's HTTP port. CVSS v4 rates it 9.2 (Critical), and DepthFirst has confirmed reliable exploitation in lab environments across multiple architectures.

Alongside the primary CVE, three additional memory corruption vulnerabilities were disclosed: CVE-2026-42946 (CVSS 8.3), CVE-2026-40701 (CVSS 6.3), and CVE-2026-42934 (CVSS 6.3). All four share the same root cause family and affect the same product range.

Scope of Impact: Every Major NGINX Product Is Affected

The vulnerable codebase spans nearly every NGINX product in production today. NGINX Open Source versions 0.6.27 through 1.30.0 are affected, along with NGINX Plus R32 through R36, NGINX Instance Manager, NGINX App Protect WAF, NGINX Gateway Fabric, and NGINX Ingress Controller. Organizations running Kubernetes clusters with NGINX-based ingress controllers face particular exposure, as exploitation yields code execution inside cluster infrastructure.

F5 released patched versions on May 13: NGINX 1.30.1 and 1.31.0 address all four CVEs. For environments where immediate upgrades are operationally constrained, the interim mitigation is to replace all unnamed regex captures in rewrite directives with named captures — a configuration change that neutralizes the overflow trigger without requiring a binary update.

Why Saudi Financial Institutions Should Treat This as a P0 Incident

NGINX sits at the front door of most modern financial architectures. Open banking APIs mandated by SAMA's Open Banking Framework, mobile banking backends, payment processing gateways, and inter-bank messaging interfaces all route through NGINX reverse proxies. A successful exploit does not just compromise a web server — it provides the attacker with a persistent foothold inside the institution's DMZ, from which lateral movement toward core banking systems, SWIFT interfaces, and cardholder data environments becomes trivial.

SAMA's Cyber Security Common Controls (CSCC) framework explicitly requires institutions to maintain a documented vulnerability management program with defined SLAs for critical patches. Domain 3 (Technology Risk Management) mandates that critical vulnerabilities be remediated within 48 hours of vendor advisory publication. With F5's advisory dated May 13, Saudi regulated entities have until May 15 to deploy patches or demonstrate compensating controls. The NCA's Essential Cybersecurity Controls (ECC) mirror this urgency under subdomain 2-2 (Vulnerability Management), requiring continuous scanning and timely remediation of internet-facing assets.

PCI-DSS v4.0.1, applicable to every institution processing card transactions, requires under Requirement 6.3.3 that critical and high-severity vulnerabilities be patched within 30 days — but the Payment Card Industry Security Standards Council strongly recommends faster action when active exploitation is confirmed or imminent. Given that a public exploit repository already exists on GitHub for CVE-2026-42945, the 30-day window is dangerously generous.

Practical Remediation Steps for Security Teams

1. Inventory every NGINX instance immediately. Use asset discovery tools or run nginx -v across all environments. Do not overlook NGINX embedded in commercial products, container images, or Kubernetes ingress controllers. Many teams forget NGINX instances bundled inside vendor appliances.
2. Upgrade to NGINX 1.30.1 or 1.31.0. This is the only complete fix. Test in staging first, but do not delay production rollout beyond 48 hours. Coordinate with your change advisory board under emergency change procedures.
3. Apply the interim mitigation if patching is delayed. Audit all rewrite directives in your NGINX configurations. Replace unnamed captures (parenthetical groups referenced by $1, $2) with named captures using the (?P<name>pattern) syntax. This eliminates the overflow trigger without changing routing behavior.
4. Deploy WAF signatures for exploit patterns. If you run NGINX App Protect or a third-party WAF in front of NGINX, deploy rules to detect anomalously long URI segments targeting rewrite paths. F5 has published Snort and ModSecurity signatures in their advisory.
5. Review logs for historical exploitation. Search NGINX access and error logs for unusual segfaults, core dumps, or unexpected worker process restarts dating back to at least January 2026. These could indicate prior exploitation attempts. Feed findings into your SIEM and correlate with network telemetry.
6. Notify your SAMA relationship manager. Under SAMA's incident notification requirements, if forensic analysis reveals any indication of exploitation, you must notify SAMA within the prescribed timeframe. Even absent confirmed exploitation, documenting your remediation timeline satisfies CSCC audit requirements.

Conclusion

CVE-2026-42945 is not a routine patch Tuesday item. An 18-year-old vulnerability in the most widely deployed web server and reverse proxy on the internet, exploitable without authentication in a single request, represents a systemic risk to financial infrastructure. Saudi institutions operating under SAMA and NCA oversight have a regulatory obligation — and a practical imperative — to patch within hours, not days. The exploit code is public. The attack requires no sophistication. The only question is whether your NGINX instances are updated before an attacker sends that one crafted request.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and emergency vulnerability audit of your internet-facing infrastructure.