Summary
All Alpine-based images in this repository that include nginx are currently vulnerable
to CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow disclosed on May 13, 2026.
The Alpine package repos do not yet ship a patched nginx version, so simply rebuilding
the images will not fix the issue.
Vulnerability
- CVE: CVE-2026-42945
- Nickname: NGINX Rift
- CVSS v4: 9.2 (Critical)
- Affected: nginx 0.6.27 through 1.30.0
- Fixed in: nginx 1.31.0 / 1.30.1
- PoC: Public exploit available (DepthFirstDisclosures/Nginx-Rift)
A heap buffer overflow in ngx_http_rewrite_module allows an unauthenticated attacker
to crash nginx workers or achieve RCE via a single crafted HTTP request. No authentication
or session required.
Problem
Alpine's official package repos do not yet carry nginx 1.30.1 or 1.31.0 regardless of
Alpine version. Any image based on Alpine that installs nginx via apk will remain on
a vulnerable version until Alpine updates their package index.
Temporary Workaround
Until Alpine ships a patched nginx package, you can override the container entrypoint
in docker-compose.yml to force-install nginx from the official nginx mainline Alpine
repo at startup:
entrypoint: >
sh -c "
apk add --no-cache curl &&
curl -fsSL https://nginx.org/keys/nginx_signing.rsa.pub -o /etc/apk/keys/nginx_signing.rsa.pub &&
echo 'https://nginx.org/packages/mainline/alpine/v3.23/main' >> /etc/apk/repositories &&
apk update &&
apk add --no-cache --upgrade --repository https://nginx.org/packages/mainline/alpine/v3.23/main nginx &&
mkdir -p /var/cache/nginx/client_temp &&
docker-php-entrypoint"
Note: Replace v3.23 with your image's Alpine version if different.
Check with cat /etc/alpine-release inside the container.
Verify after the container starts:
docker exec -it <container_id> nginx -v
# Expected: nginx version: nginx/1.31.0
Request
Once Alpine ships a patched nginx package (1.30.1 or 1.31.0), please trigger a rebuild
of all Alpine-based nginx images so the fix is baked in and this workaround is no longer
needed.
Progress on Alpine's patched package can be tracked here:
https://pkgs.alpinelinux.org/packages?name=nginx&branch=edge
References
Summary
All Alpine-based images in this repository that include nginx are currently vulnerable
to CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow disclosed on May 13, 2026.
The Alpine package repos do not yet ship a patched nginx version, so simply rebuilding
the images will not fix the issue.
Vulnerability
A heap buffer overflow in
ngx_http_rewrite_moduleallows an unauthenticated attackerto crash nginx workers or achieve RCE via a single crafted HTTP request. No authentication
or session required.
Problem
Alpine's official package repos do not yet carry nginx 1.30.1 or 1.31.0 regardless of
Alpine version. Any image based on Alpine that installs nginx via
apkwill remain ona vulnerable version until Alpine updates their package index.
Temporary Workaround
Until Alpine ships a patched nginx package, you can override the container entrypoint
in
docker-compose.ymlto force-install nginx from the official nginx mainline Alpinerepo at startup:
Verify after the container starts:
Request
Once Alpine ships a patched nginx package (1.30.1 or 1.31.0), please trigger a rebuild
of all Alpine-based nginx images so the fix is baked in and this workaround is no longer
needed.
Progress on Alpine's patched package can be tracked here:
https://pkgs.alpinelinux.org/packages?name=nginx&branch=edge
References