Exploit attempts are already hammering a newly disclosed NGINX bug dubbed "NGINX Rift," proving once again that attackers read patch notes faster than most admins. Researchers at VulnCheck said they are seeing active exploitation tied to CVE-2026-42945, a heap buffer overflow flaw affecting both NGINX Open Source and NGINX Plus that was disclosed last week after apparently sitting unnoticed for 18 years. VulnCheck's Patrick Garrity said the company observed exploitation activity on its canary systems "just days after the CVE was published." "An unauthenticated attacker can crash the NGINX worker process by sending crafted HTTP requests," he said. "On servers with ASLR disabled – which, of course, is extremely unlikely – code execution is possible." Researchers at Depthfirst disclosed the bug last week, saying the flaw had been sitting in NGINX's rewrite module since 2008. The vulnerability, nicknamed "NGINX Rift," was assigned a CVSS score of 9.2. According to F5, which acquired NGINX in 2019, the flaw can be triggered by specially crafted HTTP requests under certain server configurations. In most cases, the result is a crashed worker process and a forced restart, though systems running without standard Linux memory protections could potentially face code execution. A public proof-of-concept exploit appeared the same day patches dropped, which helps explain why researchers started seeing exploitation attempts almost immediately. In practice, turning this into reliable remote code execution takes a pretty specific setup. The target server must be running a specific rewrite configuration, attackers need enough knowledge of that setup to exploit it correctly, and ASLR must also be disabled on the host system. Security researcher Kevin Beaumont noted that while the bug is real, modern Linux defaults significantly reduce the likelihood of successful real-world RCE. "Regarding CVE-2026-42945 in nginx – no modern (or even old) Linux distribution runs nginx without ASLR," Beaumont said. "So, cool, sweet technical vuln – it's valid – but the RCE apocalypse ain't coming." Even so, VulnCheck said Censys scans surfaced roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, which means patching teams everywhere just inherited another very long week. ®