diff --git a/README.md b/README.md
index 8147fb0..f2096a2 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,35 @@
-# Nginx Rift Exploit
+# NGINX Rift
 
-**CVE:** CVE-2026-42945  
-**Tested on:** Ubuntu 24.04.3 LTS
+RCE Proof of concept for **CVE-2026-42945**, a critical heap buffer overflow in NGINX's `ngx_http_rewrite_module` introduced in 2008. The bug enables unauthenticated remote code execution against servers using `rewrite` and `set` directives.
+
+This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by [depthfirst](https://depthfirst.com)'s security analysis system after a single click of onboarding the NGINX source.
+
+> Want to find issues like this in your own code? Try the same system at **<https://depthfirst.com/open-defense>**.
+
+## The Bug (TL;DR)
+
+NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The `is_args` flag is set on the main engine when a `rewrite` replacement contains `?`, but the length-calculation pass runs on a freshly zeroed sub-engine. So:
+
+- **Length pass** sees `is_args = 0` → returns raw capture length.
+- **Copy pass** sees `is_args = 1` → calls `ngx_escape_uri` with `NGX_ESCAPE_ARGS`, expanding each escapable byte to 3 bytes.
+
+The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent `ngx_pool_t`'s `cleanup` pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake `ngx_pool_cleanup_s` invoking `system()` on pool destruction.
+
+Read more about this bug in our [technical write-up](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability).
+
+## Affected & Fixed Versions
+
+| Product | Affected | Fixed in |
+| --- | --- | --- |
+| NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 |
+| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |
+
+Full vendor advisory: <https://my.f5.com/manage/s/article/K000160932>
 
 ## Usage
 
-1. Run `./setup.sh` to create the container.
-2. Run `docker compose -f env/docker-compose.yml up` to start the vulnerable nginx server.
-3. Run `python3 poc.py --shell` to achieve RCE (Remote Code Execution).
\ No newline at end of file
+Tested on Ubuntu 24.04.3 LTS.
+
+1. `./setup.sh` — build the container.
+2. `docker compose -f env/docker-compose.yml up` — start the vulnerable NGINX server.
+3. `python3 poc.py --shell` — pop a shell.