An AI-powered source code analysis system discovered an 18-year-old heap overflow vulnerability (NGINX Rift, CVE-2026-42945) in NGINX's rewrite module within just 6 hours, demonstrating how autonomous security scanning can identify critical bugs that have remained undetected in widely-used software for decades. The vulnerability, introduced in NGINX 0.6.27 in 2008, occurs when specific URL rewriting configurations cause the server to miscalculate memory allocation, leading to heap buffer overflow that can crash the server or enable remote code execution under certain conditions.
Install our extension to search inside any video instantly.
NGINX Rift: An 18-Year-Old Vulnerability Found by AIAdded:
18 years. That's how long a heap overflow bug has sat undiscovered in Engine X, the web server software that powers roughly a third of public websites.
Then, an AI scanner pointed at the source code and flagged it in just 6 hours.
The flaw is called Engine X Rift, disclosed yesterday by research firm Depth First. F5, which maintains Engine X, confirmed the bug and shipped patches the same day. That's quick.
It was introduced way back in Engine X 0.6.27 in 2008 and stayed in every release through 1.30.0.
If you don't know, Engine X is an open-source web server. You've probably been using it all day. Things like Netflix video delivery, wordpress.com, and Pinterest all run on it, along with plenty of other major sites. If you've got a home lab with a front end, it's probably in your stack, too.
The Rift bug lives in the Engine X URL rewriting code. The part that handles rules like, "If a URL looks like A, change it to B."
It triggers on a config pattern Depth First calls common. A rewrite rule using a particular pattern match shortcut, a question mark in the new URL, and another rule right after. When those three line up, Engine X miscalculates how much memory it needs. It measures the space one way, but writes another.
The result is a heap overflow.
Anyone who can reach a vulnerable server can crash it with one crafted HTTP request. No login required.
Bleeping Computer reports the bug can also be exploited for remote code execution, RCE, under certain conditions.
The public proof of concept demonstrates full code execution, but only with ASLR turned off.
ASLR is enabled by default, so denial of service is broadly reachable, while RCE on a default install is harder.
Depth first runs an AI-powered source code analysis system. They pointed it at Engine X, and inside 6 hours it flagged four memory corruption issues, and a bug that survived 18 years of public code review, flagged by an autonomous scanner on its first run.
So, if you're running Engine X older than 1.31.0 or 1.30.1, upgrade. If you can't upgrade right away, audit your config for the trigger pattern and apply the workaround from F5's advisory.
A lot of the internet runs on decades of handwritten C that no human has had time to fully audit. The scanners are now doing it, whether they're good scanners or bad scanners.
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 viewsโข2026-05-28
How agent o11y differs from traditional o11y โ Phil Hetzel, Braintrust
aiDotEngineer
450 viewsโข2026-05-28
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation๐ฏโ
LearnwithSahera
1K viewsโข2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 viewsโข2026-05-29
Search Algorithms Explained in 60 Seconds! ๐ค๐จ
samarthtuliofficial
218 viewsโข2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 viewsโข2026-05-30
Introduction to Problem Solving Part - 1 | Lecture 1 | Intermediate DSA
ascensionix
107 viewsโข2026-05-29
So What's Odin Lang Even Good For
TechOverTea
131 viewsโข2026-06-01
