Submit finding

All findings

CVE-2026-42945 + 3 more critical

DepthFirst autonomously finds NGINX Rift and three companion CVEs

DepthFirst says its autonomous low-level analysis platform found four confirmed NGINX memory-corruption issues, led by CVE-2026-42945, the critical NGINX Rift rewrite-module heap overflow.

Bug class
NGINX memory-corruption cluster led by rewrite-module heap overflow RCE
Affected codebase
NGINX Open Source and NGINX Plus
Credited system
DepthFirst
Disclosed
May 13, 2026
Attribution
Self-reported attribution
Severity
critical
Source status: DepthFirst's May 13, 2026 NGINX Rift material says its autonomous platform found four confirmed NGINX memory-corruption issues after analyzing the codebase. NVD and F5-linked CVE records corroborate the public vulnerabilities and fixes, while the autonomous-discovery claim comes from DepthFirst.

Summary

DepthFirst disclosed NGINX Rift on May 13, 2026. Its public write-up says an autonomous low-level-code analysis system scanned the NGINX source tree and reported five security issues, four of which NGINX confirmed as CVEs:

The headline issue, CVE-2026-42945, affects NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36 under a specific rewrite configuration. DepthFirst published a root-cause analysis and a proof of concept showing worker-process remote code execution when ASLR is disabled.

Attribution

This is a self-reported AI-attributed entry. DepthFirst is the primary source for the autonomous-discovery claim: its NGINX Rift landing page says the vulnerability was discovered autonomously by the DepthFirst platform, and the technical post says the system found the confirmed NGINX issues after roughly six hours of analysis.

The public CVE layer is independently corroborated by NVD and F5-linked records. Those records credit DepthFirst researchers and the coordinated disclosure, but they do not independently name the autonomous platform as the finder. That is why the attribution label is self-reported rather than direct.

Why it matters

NGINX Rift is a strong bugflation signal because it combines a mature, internet-facing codebase, an 18-year-old critical bug class, a vendor-confirmed CVE record, and a public exploitability analysis. It is not just a scanner warning. DepthFirst’s post describes a concrete root cause, a working trigger condition, and a patch path that landed in a coordinated F5/NGINX release.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.