A critical bug present in NGINX since 2008. CVSS 9.2. Heap buffer overflow with a path to RCE. No scanner detected it for 18 years. An AI platform found it in 6 hours. At Tech86, we followed this discovery closely — and what it means for infrastructure security is more important than the bug itself.
The bug: deterministic heap overflow in the rewrite engine
The NGINX rewrite engine operates in two passes. The first calculates the required buffer size. The second copies the data into that buffer. The problem lies in the disconnect between these two passes.
When a rewrite directive contains ? in the replacement string, the is_args flag is set in the main engine and never cleared. At size calculation time, the zeroed sub-engine ignores escaping. At copy time, the main engine with is_args=1 calls ngx_escape_uri. Each escapable byte (+, %, &) expands from 1 to 3 bytes. The buffer is allocated for raw_size. The copy writes raw_size + 2*N bytes. Deterministic overflow, controlled by the attacker via URI.
The trigger is a documented and recommended configuration pattern: unnamed PCRE captures ($1, $2) combined with ? in the replacement and a subsequent set, rewrite, or if directive. Something like rewrite ^/users/([0-9]+)$ /profile.php?id=$1?last; — exactly the kind of rule API gateways use daily.
The exploitation: unauthenticated RCE in a single request
A single HTTP request. No authentication. No prior session. That is all an attacker needs.
The overflow corrupts the adjacent ngx_pool_t structure on the heap. The cleanup pointer at offset 64 is overwritten. When the pool is destroyed, NGINX executes whatever is at that pointer — a direct path to arbitrary code execution.
The demonstrated PoC uses cross-request heap feng shui: two simultaneous connections to position adjacent pools, POST bodies to spray fake cleanup objects calling system(), and a URI-safe payload to overwrite the low bytes of the pointer. With ASLR disabled, RCE is confirmed. With ASLR enabled, DoS is guaranteed — and the researcher notes: the master forks workers with identical layout. If the exploit crashes a worker, another spawns with the same layout. You can keep trying until you succeed.
This is not theoretical. It is reproducible. And it affects virtually every NGINX on the planet — 33% of global websites.
Who found it: AI in 6 hours, humans in 18 years
DepthFirst AI. An LLM-powered platform. One-click onboarding. Six hours of analysis. Four memory corruption bugs in a single session:
- CVE-2026-42945 (CVSS 9.2) — heap overflow in rewrite
- CVE-2026-42946 (CVSS 8.3) — ~1 TB allocation in SCGI/UWSGI
- CVE-2026-40701 (CVSS 6.3) — use-after-free in SSL/OCSP
- CVE-2026-42934 (CVSS 6.3) — out-of-bounds read in charset
Eighteen years. One third of the web. Zero human detection. The AI did not find this by accident — it systematically explored internal code paths that traditional fuzzers cannot reach. The NGINX rewrite engine is a complex subsystem with shared state between passes, and the combination of a persistent is_args flag with conditional escaping is exactly the kind of logic bug that surface-level testing will never uncover.
The asymmetry that changes the game
The offensive cost of finding bugs like NGINX Rift collapsed from years to hours. The defensive cost of patching thousands of instances remains orders of magnitude higher. This is the asymmetry that defines the new security landscape.
Consider the math: an attacker with access to an AI tool can scan dozens of open source projects per day. Each scan has the potential to find critical bugs that have existed for years. On the defensive side, each discovered vulnerability requires asset inventory, prioritization, maintenance windows, regression testing, coordinated deployment — and that is per instance, per environment, per client.
At Tech86, we have watched this dynamic repeat with every critical vulnerability in recent years. The time between disclosure and mass exploitation shrank from months to days. The time between disclosure and complete patching across real client infrastructure did not keep pace. NGINX Rift is the most dramatic example yet: 18 years of vulnerability, discovered in hours, and weeks until every instance is patched.
What this means in practice
This asymmetry favors whoever runs the next autonomous scan first. And the next target does not have to be NGINX. It can be any software running at global scale — and nearly all of them have subsystems with complex internal logic that has never been audited at this depth.
Perimeter defense is no longer optional. When the time between discovery and exploitation collapses, you cannot rely on "we will patch in the next window." You need layers that filter malicious traffic before it reaches vulnerable software. You need visibility into what is running and where. You need patching processes that work in hours, not weeks.
The immediate workaround for NGINX Rift — named captures — is simple and effective. But it is a band-aid. The structural problem is that vulnerability discovery speed is now governed by AI, while response speed is still governed by human processes. Until that gap closes, WAF and defense in depth are not luxuries — they are the only thing standing between your infrastructure and the next 9.2 CVE.
Conclusion
NGINX Rift is not just another vulnerability. It is a milestone: the moment AI proved it can find critical bugs that 18 years of human auditing missed — and did it in an afternoon. The question is not whether the next vulnerability like this will be discovered. It is when. And whether your infrastructure will be protected when it happens.
At Tech86, we built our Perimeter WAF Shielding to be exactly that layer: protection that works while the patch is not yet deployed, rules that block exploitation patterns before they reach vulnerable software, and visibility into the traffic hitting your servers. Because in a world where 18-year bugs are found in 6 hours, you cannot wait until the next maintenance window.