A heap-based buffer overflow in nginx’s ngx_http_rewrite_module, disclosed as CVE-2026-42945 and nicknamed NGINX Rift, allows an unauthenticated attacker to crash a worker process, or potentially achieve remote code execution on hosts with ASLR disabled, by sending a single crafted HTTP request.
If you operate an internet-facing nginx instance, especially one with non-trivial rewrite rules in front of a PHP or application backend, this matters.
AlmaLinux’s core team has built patched nginx packages, which are available in their testing repository.
After the community has helped verify them, AlmaLinux will release them to the production repositories.
This and other security notifications that may or may not make it here to the blog, are posted on the forums at: https://sysadmin.help
Archives
- May 2026
- April 2026
- March 2026
- February 2026
- December 2025
- November 2025
- September 2025
- August 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- March 2024
- February 2024
- January 2024
- October 2023
Recent Posts
- Memorial Day 2026 Hours
- Product Price Lock
- NGINX Rift (CVE-2026-42945): Patched nginx available in testing
- Attackers Abuse React2Shell Flaw to Compromise 700+ Next.js Hosts
- OpenSSH 10.3 Fixes Critical Shell Injection and Security Flaws
