In May 2026, nginx developers, in collaboration with F5 experts, reported the discovery of seven vulnerabilities in one of the most widely used web servers in the world. To protect its users, 1C-Bitrix has released an emergency update for the bx-nginx package, version 1.30.2, for the VMBitrix virtual environment. This patch fixes all identified security flaws, including the most critical ones: CVE-2026-9256 ("nginx-poolslip") and NGINX Rift (CVE-2026-42945). The threat requires immediate action, as a working exploit for NGINX Rift is already publicly available. .
Summary: Server administrators using VMBitrix should install the bx-nginx 1.30.2 update as soon as possible. Experts are already reporting active exploitation attempts by attackers using the NGINX Rift exploit, which is capable of bypassing ASLR protection mechanisms.
Incident Details
Recently, F5 specialists and nginx developers presented a joint disclosure report on six bugs in nginx Open Source and nginx Plus. On the same day, security updates were released for the stable branch (nginx 1.30.1) and the main branch (nginx 1.31.0). Later, on May 22, during further auditing, another seventh vulnerability was found and fixed (the patch is included in nginx 1.31.1).
The highest danger is posed by the NGINX Rift (CVE-2026-42945) vulnerability, which involves a heap buffer overflow in the rewrite module. This bug, discovered by researchers from the depthfirst team, had been present in the codebase since 2008, affecting all nginx Open Source builds from version 0.6.27 to 1.30.0. Given the global prevalence of nginx, a massive number of infrastructures were threatened, including 1C-Bitrix server solutions. The Bitrix team quickly compiled a patched version of the web server, conducted compatibility tests with VMBitrix, and released the protective update bx-nginx 1.30.2 on May 25.
Mitigated Security Threats
| CVE Number |
Vulnerability Details |
CVSS Level |
Discovered By |
CVE-2026-42945
(NGINX Rift) |
Heap buffer overflow inside ngx_http_rewrite_module ; allows unauthenticated remote code execution (RCE) |
9.2 (v4) / 8.1 (v3.1) |
depthfirst / F5 |
CVE-2026-9256
(nginx-poolslip) |
Buffer overflow bug inside ngx_http_rewrite_module that occurs when PCRE captures overlap; threat of RCE |
Medium according to nginx estimation |
Mufeed VH (Winfunc Research) |
| CVE-2026-42926 |
HTTP/2 request injection via the proxy_set_body parameter if proxy_http_version 2 is active |
Medium |
Mufeed VH (Winfunc Research) |
| CVE-2026-40701 |
Use-after-free memory usage inside ngx_http_ssl_module with the ssl_ocsp option enabled |
Medium |
Leo Lin |
| CVE-2026-42946 |
Buffer overread data reading in ngx_http_uwsgi_module and ngx_http_scgi_module components |
8.3 (v4) |
F5 |
| CVE-2026-42934 |
Out-of-bounds read vulnerability in ngx_http_charset_module during UTF-8 processing in the charset_map directive |
Low |
F5 |
| CVE-2026-40460 |
IP address spoofing via the HTTP/3 protocol during QUIC connection migration |
Medium |
Rodrigo Laneth |
Interestingly, the nginx team itself assigned a medium priority (severity medium) to the CVE-2026-42945 vulnerability. Nevertheless, F5 analysts, the original discoverers from depthfirst, and several independent laboratories (Qualys, Orca Security, Cloud Security Alliance) rate the threat at 9.2 points according to the CVSS v4 standard, classifying it as critical. 1C-Bitrix developers agree with the opinion of the cybersecurity community and also consider this issue critical.
Which Systems are Affected
This update is critically important for servers deployed on VMBitrix — the proprietary 1C-Bitrix virtual machine, where nginx is the built-in web server. Vulnerabilities can be exploited if the corresponding functions are active (rewrite, ssl_ocsp, proxy_set_body over HTTP/2, charset_map directives, as well as uwsgi/scgi proxying or the HTTP/3 protocol). It should be emphasized: in standard VMBitrix configurations, the rewrite module is usually enabled, making the risk of exploitation via NGINX Rift very high.
Bitrix24 cloud servers and 1C-Bitrix internal IT environments were protected with corresponding patches prior to the publication of this news.
Important note: if you manage nginx installations on other servers (not using VMBitrix), you will need to update them independently, relying on the releases from the official maintainers of your distributions.
Patch Installation Guide
To secure your VMBitrix environment, make sure to perform the update process via the console: dnf clean all && dnf update
In case you need to build nginx with additional modules that are not included in the standard VMBitrix package, use the source repository.
Add the repository configuration file /etc/yum.repos.d/bitrix-source-9.repo with the following contents:
[bitrix-source-9]
name=Bitrix Packages Source for Enterprise Linux 9 - x86_64
baseurl=https://repo.bitrix24.tech/dnf/SRPMS
enabled=1
gpgcheck=1
priority=1
failovermethod=priority
gpgkey=https://repo.bitrix24.tech/dnf/RPM-GPG-KEY-BitrixEnv-9
Make sure that the dnf-utils and yum-utils utilities are present on the server:
dnf clean all && dnf install -y dnf-utils yum-utils
Download the source files for the bx-nginx package:
yumdownloader --source bx-nginx
The approximate terminal output should look like this:
[root@localhost ~]# yumdownloader --source bx-nginx
enabling epel-source repository
enabling epel-cisco-openh264-source repository
enabling baseos-source repository
enabling appstream-source repository
enabling crb-source repository
enabling extras-source repository
Extra Packages for Enterprise Linux 9 - x86_64 - Source 2.4 MB/s | 4.3 MB 00:01
Rocky Linux 9 - BaseOS - Source 429 kB/s | 423 kB 00:00
Rocky Linux 9 - AppStream - Source 280 kB/s | 945 kB 00:03
Rocky Linux 9 - CRB - Source 116 kB/s | 139 kB 00:01
Rocky Linux 9 - Extras Source 10 kB/s | 14 kB 00:01
bx-nginx-1.30.2-0.el9.src.rpm 4.6 MB/s | 118 MB 00:25
[root@localhost ~]#
We strongly recommend not delaying the update. Hackers already possess a working exploit for NGINX Rift that successfully bypasses ASLR protection, and security specialists regularly detect attempts to apply this vulnerability in practice.