Brief IA

NGINX Rift: A 2008 Vulnerability Discovered by AI Threatens the Web

🤖 Models & LLM·Tom Levy·

NGINX Rift: A 2008 Vulnerability Discovered by AI Threatens the Web

NGINX Rift: A 2008 Vulnerability Discovered by AI Threatens the Web
Key Takeaways
1A critical vulnerability in NGINX, introduced in 2008, was discovered by an AI in just six hours.
2DepthFirst revealed that the bug allows for a heap overflow, potentially affecting one-third of global websites.
3Patches are available, but a denial of service remains possible if configurations are not updated.
💡Why it mattersThis discovery highlights the increasing effectiveness of AIs in identifying critical vulnerabilities in widely used software.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

A Critical Flaw Revealed by Artificial Intelligence

For eighteen years, a bug lay buried in the NGINX code, eluding thousands of human audits. However, an automated analysis system managed to detect it in just six hours. On May 13, 2026, F5 released a security advisory regarding CVE-2026-42945, a heap overflow vulnerability in the NGINX URL rewrite module, rated 9.2 on the CVSS v4 scale. This bug, introduced in version 0.6.27 released in 2008, survived through hundreds of updates and powered about one-third of the world's websites without being noticed. It was identified by the startup DepthFirst, specializing in AI-driven code analysis, during an automated scanning session on April 18, 2026.

A Heap Overflow Triggered by a Simple HTTP Request

The flaw manifests when NGINX processes a rewrite rule containing a question mark in the replacement string. The calculation of the destination buffer size is based on one assumption, but the data copy occurs under another, leading to a heap overflow. The prerequisites are specific: an unnamed PCRE capture, a question mark in the replacement, and an additional directive in the same scope. However, these conditions are common enough to affect a large number of production configurations.

DepthFirst published a proof-of-concept on GitHub, demonstrating that a simple HTTP request can be sufficient to crash an NGINX worker, resulting in a reliable denial of service. Although remote code execution is theoretically possible via an inter-request "Heap Feng Shui," the AlmaLinux team pointed out that the published PoC only works reliably with ASLR disabled. In real-world conditions, the most likely scenario remains the DoS. This is particularly concerning for software that powers one-third of the world's web servers according to W3Techs, and nearly 47% of the top 1,000 most visited sites.

Remedial Measures and Associated Vulnerabilities

Remedial versions are available to fix this vulnerability: NGINX Open Source 1.31.0 (mainline) and 1.30.1 (stable), as well as NGINX Plus R36 P4 and R32 P6. While waiting for the patches to be applied, it is advisable to replace unnamed captures ($1, $2) with named captures in the rewrite rules. During the same scanning session, three other vulnerabilities were discovered, including CVE-2026-42946, an excessive memory allocation that could reach 1 TB in SCGI/UWSGI modules, rated 8.3 on the CVSS scale.

The Club of Forgotten Flaws Welcomes a New Member

NGINX Rift joins a list of forgotten flaws that have been discovered after years of audits. Among them are PwnKit (CVE-2021-4034), which spent 12 years in Polkit pkexec before being discovered by Qualys in 2022, SinkClose (CVE-2023-31315), which existed for about 20 years in AMD processors before being revealed at DEF CON 2024 by IOActive, and the 0.0.0.0-day vulnerability, which remained for 18 years in Chrome, Firefox, and Safari before being exposed by Oligo Security in August 2024. These flaws share a similar profile: bugs buried so deeply in a fundamental software layer that years of successive audits have integrated them into the background without questioning them.

The uniqueness of NGINX Rift lies less in the flaw itself than in the discovery method. DepthFirst describes its tool as a standalone static analysis system powered by a language model, capable of scanning a large C/C++ codebase after a simple onboarding of the source repository. Google DeepMind paved the way in late 2024 with Big Sleep (formerly Naptime), which found a real vulnerability in SQLite. But that was an isolated case, in a lab. Here, we are talking about four CVEs in a critical open-source project, found in a six-hour commercial session. The trajectory is taking shape: 2024, proof-of-concepts in the lab. 2025, internal tools from publishers. 2026, the first major open-source scalp.

For French hosting providers like OVHcloud, Scaleway, Infomaniak, and Gandi, which heavily use NGINX in front of their shared offerings and load balancers, the message is clear: patch to 1.31.0 or 1.30.1 without delay, and check rewrite configurations in production. AlmaLinux pushed the patches as early as May 14 for all its streams, including end-of-life versions. Machines still running on unmaintained NGINX packages will not have this chance.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.