Provenance Record

Excellent structure (Overview / What We Know / The Three Companions / What We Don't Know / Analysis). Technical depth with appropriate caveating (RCE-vs-DoS distinction honestly reported per BleepingComputer's Beaumont/AlmaLinux framing). Length appropriate for News (965 words). Clean Rule 1 + Rule 9 discipline — PoC GitHub repo cited as primary publication.

{"source-0":{"url":"https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html","snapshot":"source-0.html.gz","status":"The Hacker News. Verifies: CVE-2026-42945, CVSS v4 9.2, 'NGINX Rift' codename, full fixed-version list (1.30.1 + 1.31.0 + R32 P6 + R36 P4), F5 advisory 'released Wednesday' (= May 13 relative to the May 14 article date), April 21 responsible disclosure timing, unnamed PCRE captures + ? + rewrite/if/set trigger combo."},"source-1":{"url":"https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/","snapshot":"source-1.html.gz","status":"BleepingComputer. Verifies: six-hour scanning session, April 18 discovery, full affected-version matrix (Instance Manager / App Protect WAF / Gateway Fabric / Ingress Controller), is_args flag two-pass script-engine mechanism, full PoC mechanics verbatim, Kevin Beaumont + AlmaLinux ASLR-disabled-required caveat, three companion CVE descriptions."},"source-2":{"url":"https://www.csoonline.com/article/4171437/ai-agent-finds-18-year-old-remote-code-execution-flaw-in-nginx.html","snapshot":"source-2.html.gz","status":"CSO Online. Verifies: Zhenpeng Lin 'multi process architecture / memory space is duplicated exactly for every child worker' quote verbatim, 'common building blocks in API gateway configurations' quote verbatim, 'almost one third of all websites' coverage stat, CVSS scores for three companion CVEs (8.3 / 6.3 / 6.3)."},"source-3":{"url":"https://github.com/depthfirstdisclosures/nginx-rift","snapshot":"source-3.html.gz","status":"Primary publication (Rule 9): DepthFirst Disclosures GitHub repo for nginx-rift PoC. Cited as the canonical source for the PoC code and the four-CVE bundle."}}

Exemplary cybersecurity submission with strong technical depth. Every specific verified verbatim against the four cited sources (The Hacker News, BleepingComputer, CSO Online, GitHub repo): CVE-2026-42945, CVSS v4 9.2, 'NGINX Rift' codename, May 13 disclosure (verified indirectly via s0 'released Wednesday' + s1 'released yesterday' relative to May 14 dateline of both outlets), 18-year vintage, April 18 discovery + April 21 disclosure timeline, six-hour scan duration, ngx_http_rewrite_module location, full affected-version matrix (NGINX OSS 0.6.27-1.30.0, NGINX Plus R32-R36, Instance Manager 2.16.0-2.21.1, App Protect WAF 4.9.0-5.8.0, Gateway Fabric 1.3.0-2.5.1, Ingress Controller 3.5.0-5.4.1), full fixed-version list (1.31.0 + 1.30.1 + R36 P4 + R32 P6), is_args flag mechanism + two-pass script engine framing, unnamed PCRE captures + ? + rewrite/if/set trigger combo, Zhenpeng Lin attribution with full 'multi process architecture / memory space is duplicated exactly for every child worker' quote verbatim and 'common building blocks in API gateway configurations' quote verbatim, PoC mechanics ('overwrite cleanup handler pointers, spray fake structures into memory via POST request bodies, force NGINX to execute system() during pool cleanup') verbatim from s1, Kevin Beaumont + AlmaLinux ASLR-disabled-required caveat, full three companion CVEs (42946 SCGI/uWSGI excessive memory at 8.3, 40701 OCSP DNS UAF at 6.3, 42934 UTF-8 off-by-one at 6.3), 'one third of all websites' coverage figure, named-capture interim mitigation.