News and announcements
In May 2026, nginx developers, in collaboration with F5 experts, reported the discovery of seven vulnerabilities in the popular nginx web server, which serves as a core component for many global internet projects. As an emergency measure, 1C-Bitrix has released a new version of the bx-nginx package, version 1.30.2, for the VMBitrix environment. This release contains fixes for all discovered flaws, including the two most dangerous ones: CVE-2026-9256 ("nginx-poolslip") and NGINX Rift (CVE-2026-42945). The situation is critical, as a working exploit for NGINX Rift is already publicly available.
Summary: VMBitrix virtual machine owners are strongly recommended to update the bx-nginx package to version 1.30.2 within the next few hours. Active exploitation attempts via the NGINX Rift vulnerability using an exploit capable of bypassing ASLR protection have been detected in the wild.
The Core of the Issue
Recently, the nginx development team and F5 analysts published a coordinated disclosure report on six vulnerabilities in nginx Plus and nginx Open Source products. Patches were simultaneously released as part of the stable branch (nginx 1.30.1) and the main branch (nginx 1.31.0). As part of the same investigation, a seventh vulnerability was found and fixed on May 22 (included in the nginx 1.31.1 release).
One of the most serious threats identified is NGINX Rift (CVE-2026-42945) — a heap buffer overflow error within the rewrite module. This issue, discovered by experts from the depthfirst team, had been hidden in the source code since 2008 and is present in all versions of nginx Open Source from 0.6.27 to 1.30.0 inclusive. Since nginx is an industry standard, the May vulnerabilities affected a massive number of servers, including the builds used in the 1C-Bitrix ecosystem. The developers quickly recompiled nginx with the necessary patches, tested its operation in VMBitrix, and rolled out the critical bx-nginx 1.30.2 update on May 25.
List of Fixed Vulnerabilities
| CVE Identifier | Error Type | CVSS Score | Discovered By |
| CVE-2026-42945 (NGINX Rift) |
Heap buffer overflow in the ngx_http_rewrite_module module; unauthenticated RCE is possible | 9.2 (v4) / 8.1 (v3.1) | depthfirst / F5 |
| CVE-2026-9256 (nginx-poolslip) |
Buffer overflow error in ngx_http_rewrite_module during PCRE capture overlapping; risk of remote code execution (RCE) | Medium according to nginx estimation | Mufeed VH (Winfunc Research) |
| CVE-2026-42926 | HTTP/2 request injection via the proxy_set_body directive when using proxy_http_version 2 | Medium | Mufeed VH (Winfunc Research) |
| CVE-2026-40701 | Use-after-free in ngx_http_ssl_module when ssl_ocsp is active | Medium | Leo Lin |
| CVE-2026-42946 | Buffer overread in ngx_http_scgi_module and ngx_http_uwsgi_module modules | 8.3 (v4) | F5 |
| CVE-2026-42934 | Out-of-bounds read in the ngx_http_charset_module module when processing UTF-8 encoding inside charset_map | Low | F5 |
| CVE-2026-40460 | Address spoofing in the HTTP/3 standard during QUIC connection migration | Medium | Rodrigo Laneth |
The nginx developers themselves classify the CVE-2026-42945 flaw as a medium severity vulnerability. However, third-party researchers from depthfirst, independent organizations (Orca Security, Qualys, Cloud Security Alliance), and F5 rate it at 9.2 on the CVSS v4 scale, which corresponds to a "critical" status. 1C-Bitrix shares the opinion of external experts and classifies this vulnerability as critical.
Who is Affected
The release is relevant for all server configurations based on VMBitrix (the official 1C-Bitrix virtual machine), which includes the nginx web server by default. The issue manifests itself when vulnerable modules are enabled in the configuration file (rewrite, proxy_set_body for the HTTP/2 protocol, ssl_ocsp, charset_map parameters, HTTP/3 support, or uwsgi/scgi proxying). It is important to note that most standard VMBitrix configurations utilize the rewrite module, meaning the system is potentially vulnerable to NGINX Rift class attacks.
Bitrix24 cloud service customers and the internal infrastructure of 1C-Bitrix were patched by the developer in advance, prior to the release of this public notification.
Please note: if your architecture uses third-party nginx installations outside the VMBitrix environment, they must be updated manually by downloading patches from the official resources of the respective developers.
Update Guide
To ensure VMBitrix security, it is mandatory to run the update of your virtual machine using the command: dnf clean all && dnf update
If you need to connect a third-party module to nginx that is not included in the base VMBitrix distribution, use the source code repository.
Create a source repository file at the path /etc/yum.repos.d/bitrix-source-9.repo and enter the following block into it:
[bitrix-source-9]
name=Bitrix Packages Source for Enterprise Linux 9 - x86_64
baseurl=https://repo.bitrix24.tech/dnf/SRPMS
enabled=1
gpgcheck=1
priority=1
failovermethod=priority
gpgkey=https://repo.bitrix24.tech/dnf/RPM-GPG-KEY-BitrixEnv-9Check if the yum-utils and dnf-utils packages are installed in the system:
dnf clean all && dnf install -y dnf-utils yum-utilsDownload the source files for the bx-nginx package:
yumdownloader --source bx-nginxThe expected command line output will look approximately like this:
[root@localhost ~]# yumdownloader --source bx-nginx
enabling epel-source repository
enabling epel-cisco-openh264-source repository
enabling baseos-source repository
enabling appstream-source repository
enabling crb-source repository
enabling extras-source repository
Extra Packages for Enterprise Linux 9 - x86_64 - Source 2.4 MB/s | 4.3 MB 00:01
Rocky Linux 9 - BaseOS - Source 429 kB/s | 423 kB 00:00
Rocky Linux 9 - AppStream - Source 280 kB/s | 945 kB 00:03
Rocky Linux 9 - CRB - Source 116 kB/s | 139 kB 00:01
Rocky Linux 9 - Extras Source 10 kB/s | 14 kB 00:01
bx-nginx-1.30.2-0.el9.src.rpm 4.6 MB/s | 118 MB 00:25
[root@localhost ~]#Do not delay the patch installation process. Cybercriminals already have access to a ready-to-use NGINX Rift exploit with an ASLR bypass mechanism, and information security analysts confirm active attempts to exploit the vulnerability in the wild.
