On May 13, the nginx team disclosed CVE-2026-42945, dubbed NGINX Rift. It is a heap buffer overflow in ngx_http_rewrite_module that has been present in every nginx build since the module was introduced in 2008. The patch is straightforward. The bug is not. Seventeen years of code review, professional security audits, fuzzing campaigns, and production exposure across half the internet did not find it.
The interesting question is not how to patch. You patch, today. The interesting question is what kept this bug invisible for seventeen years and what it tells us about the limits of our standard security practices.
What the bug is
The vulnerability is in the rewrite module's handling of unusually structured URI patterns. Most rewrite rules in production are short and predictable. The bug only triggers when a URI hits a specific edge case in the buffer length calculation, and when the resulting overflow lands at exactly the right place in memory to be exploitable.
In practice this means you can write any nginx rewrite rule in production and never see this fire. The bug requires both an unusual input and a memory layout that exists in some compiled builds but not others. The combination is rare enough that organic production traffic essentially never hit it.
Why fuzzing did not catch it
Nginx has been fuzzed continuously by Google's OSS Fuzz project since 2017. Eight years of CPU time, millions of corpus inputs, thousands of crash reports triaged. None of them surfaced this exact pattern.
Fuzzers find bugs in proportion to how often the bug triggering inputs appear in their generation strategy. The Rift bug requires a URI pattern that is rare in the corpus and rare in random generation. The fuzzer wandered around the bug for years without ever stepping on it.
This is the dirty secret of fuzzing. It is great at finding the bugs your assumptions did not cover, and it is terrible at finding the bugs that require a leap to the input space your assumptions actively excluded.
Why code review did not catch it
The vulnerable function is short. The math is not obviously wrong. A reviewer looking at the function in isolation would have to mentally trace through three layers of buffer allocation in surrounding code to realize the assumption being violated. Code reviewers do not do that, ever, for any reason. We read for intent and obvious mistakes. We do not run the program in our heads.
The bug is also separated from its consequence by code distance. The buffer is allocated in one file, written in another, and the rewrite logic that mishandles the boundary is a third. A reviewer looking at any one piece sees nothing wrong. The bug only appears when you compose all three, which is also why fuzzing struggled with it.
What it tells us
Three things, all uncomfortable.
Time is the only fuzzer that matters. Bugs in long running infrastructure get discovered on a slow random schedule that is essentially unrelated to how much effort goes into looking for them. A million dollars of additional fuzzing investment would not have surfaced Rift faster than the seventeen years of organic exposure that did. This is a sobering thing to internalize when planning security budgets.
Standard tools find standard bugs. The Rift bug is not unusual in its mechanism. It is a heap overflow, the most well studied vulnerability class in C. What made it survive was that the path to trigger required composition across modules that fuzzers and reviewers each looked at individually. Bugs that are easy to find in any one component are now mostly extinct in mature codebases. The remaining bugs live at the seams.
The internet runs on 17 year old code paths. Most of the infrastructure that handles the web you use every day was written before the iPhone. The code is good. It has been improved. It has also accumulated a long tail of edge cases that nobody has thought about in years and nobody has any incentive to rediscover. Rift is one of those. There are others.
What to do now
Patch nginx. Verify the version on every box that runs it. If you operate at scale and have not done so already, subscribe to the nginx security mailing list directly rather than relying on your distro's package cadence. The patched versions are out. The gap between disclosure and full deployment is your exposure window.
Past that, assume there are more Rifts in the things you depend on. The infrastructure you take for granted is older than your career and was written by people who did not have AI assisted fuzzers, formal verification, or even reliable static analysis. Most of it is fine. Some of it is not, and you will not know which is which until it fires.
Treat every long standing dependency as a probabilistic Rift waiting to be discovered. Have a patch process that does not require heroics. The next disclosure will land on a day you are not ready for it.
