Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities found for nginx_app_protect_dos by f5

    CVE-2026-42055 (GCVE-0-2026-42055)

    Vulnerability from nvd – Published: 2026-06-17 14:04 – Updated: 2026-07-15 00:58 X_F5
    VLAI
    Title
    NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
    Summary
    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-131 - Incorrect Calculation of Buffer Size
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX Open Source Affected: 1.13.10 , < 1.31.2 (custom)
    Affected: 1.30.2 , < 1.30.3 (custom)
    Create a notification for this product.
    F5 NGINX Plus Affected: 37.0 , < 37.0.2.1 (custom)
    Affected: R36 , < R36 P6 (custom)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10 Unaffected: 2:1.26.3-6.el10_2.5 , < * (rpm)
        cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8 Unaffected: 8100020260707171317.489197e6 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 2:1.20.1-28.el9_8.4 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 9080020260707164406.9 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 9080020260707110000.9 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images Unaffected: 1.30.3-2.hum1 , < * (rpm)
        cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Date Public
    2026-06-17 14:00
    Credits
    "F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and 章鱼哥 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42055",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:57:46.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "2:1.26.3-6.el10_2.5",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.24",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "8100020260707171317.489197e6",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "2:1.20.1-28.el9_8.4",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.24",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "9080020260707164406.9",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.26",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "9080020260707110000.9",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx-main",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "1.30.3-2.hum1",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "unaffected",
                "packageName": "odf4/ocs-client-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "packageName": "odf4/odf-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "unaffected",
                "packageName": "odf4/odf-multicluster-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-17T14:04:32.520Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-131",
                    "description": "Incorrect Calculation of Buffer Size",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T00:58:16.251Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42055"
              },
              {
                "name": "RHBZ#2489866",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489866"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36364"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:38847"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36618"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36331"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36639"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:27197"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36364: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:38847: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36618: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36331: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36639: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:27197: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-17T16:01:41.848Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-17T14:04:32.520Z",
                "value": "Made public."
              }
            ],
            "title": "nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "ngx_http_proxy_v2_module",
                "ngx_http_grpc_module"
              ],
              "product": "NGINX Open Source",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.31.2",
                  "status": "affected",
                  "version": "1.13.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.30.3",
                  "status": "affected",
                  "version": "1.30.2",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ngx_http_proxy_v2_module",
                "ngx_http_grpc_module"
              ],
              "product": "NGINX Plus",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "37.0.2.1",
                  "status": "affected",
                  "version": "37.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R36 P6",
                  "status": "affected",
                  "version": "R36",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \u7ae0\u9c7c\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
            }
          ],
          "datePublic": "2026-06-17T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ],
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T14:04:32.520Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000161584"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_F5"
          ],
          "title": "NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2026-42055",
        "datePublished": "2026-06-17T14:04:32.520Z",
        "dateReserved": "2026-06-02T21:45:04.818Z",
        "dateUpdated": "2026-07-15T00:58:16.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42946 (GCVE-0-2026-42946)

    Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06
    VLAI
    Title
    NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
    Summary
    A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    • CWE-823 - Use of Out-of-range Pointer Offset
    Assigner
    f5
    References
    URL Tags
    https://my.f5.com/manage/s/article/K000161027 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    F5 NGINX Plus Unaffected: R37 , < * (custom)
    Affected: R36 , < R36 P4 (custom)
    Affected: R32 , < R32 P6 (custom)
    Create a notification for this product.
    F5 NGINX Open Source Unaffected: 1.31.0 , < * (semver)
    Affected: 0.8.42 , < 1.30.1 (semver)
    Create a notification for this product.
    Date Public
    2026-05-13 14:00
    Credits
    F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T15:55:04.864917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T16:06:56.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "ngx_http_scgi_module and ngx_http_uwsgi_module"
              ],
              "product": "NGINX Plus",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "R37",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R36 P4",
                  "status": "affected",
                  "version": "R36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R32 P6",
                  "status": "affected",
                  "version": "R32",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ngx_http_scgi_module and ngx_http_uwsgi_module"
              ],
              "product": "NGINX Open Source",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.31.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.30.1",
                  "status": "affected",
                  "version": "0.8.42",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
            }
          ],
          "datePublic": "2026-05-13T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ],
              "value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-823",
                  "description": "CWE-823: Use of Out-of-range Pointer Offset",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T14:12:44.697Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://my.f5.com/manage/s/article/K000161027"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2026-42946",
        "datePublished": "2026-05-13T14:12:44.697Z",
        "dateReserved": "2026-04-30T23:04:27.965Z",
        "dateUpdated": "2026-05-13T16:06:56.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42055 (GCVE-0-2026-42055)

    Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-07-15 00:58 X_F5
    VLAI
    Title
    NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
    Summary
    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-122 - Heap-based Buffer Overflow
    • CWE-131 - Incorrect Calculation of Buffer Size
    Assigner
    f5
    References
    Impacted products
    Vendor Product Version
    F5 NGINX Open Source Affected: 1.13.10 , < 1.31.2 (custom)
    Affected: 1.30.2 , < 1.30.3 (custom)
    Create a notification for this product.
    F5 NGINX Plus Affected: 37.0 , < 37.0.2.1 (custom)
    Affected: R36 , < R36 P6 (custom)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10 Unaffected: 2:1.26.3-6.el10_2.5 , < * (rpm)
        cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8 Unaffected: 8100020260707171317.489197e6 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 2:1.20.1-28.el9_8.4 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 9080020260707164406.9 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9 Unaffected: 9080020260707110000.9 , < * (rpm)
        cpe:/a:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images Unaffected: 1.30.3-2.hum1 , < * (rpm)
        cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Openshift Data Foundation 4     cpe:/a:redhat:openshift_data_foundation:4
    Create a notification for this product.
    Date Public
    2026-06-17 14:00
    Credits
    "F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and 章鱼哥 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42055",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T03:57:46.697Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "2:1.26.3-6.el10_2.5",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.24",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "8100020260707171317.489197e6",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "2:1.20.1-28.el9_8.4",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.24",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "9080020260707164406.9",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx:1.26",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "9080020260707110000.9",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "packageName": "nginx-main",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat",
                "versions": [
                  {
                    "lessThan": "*",
                    "status": "unaffected",
                    "version": "1.30.3-2.hum1",
                    "versionType": "rpm"
                  }
                ]
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "unaffected",
                "packageName": "odf4/ocs-client-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "affected",
                "packageName": "odf4/odf-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              },
              {
                "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
                "cpes": [
                  "cpe:/a:redhat:openshift_data_foundation:4"
                ],
                "defaultStatus": "unaffected",
                "packageName": "odf4/odf-multicluster-console-rhel9",
                "product": "Red Hat Openshift Data Foundation 4",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-17T14:04:32.520Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-131",
                    "description": "Incorrect Calculation of Buffer Size",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T00:58:16.251Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-42055"
              },
              {
                "name": "RHBZ#2489866",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489866"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36364"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:38847"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36618"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36331"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:36639"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:27197"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:36364: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:38847: Red Hat Enterprise Linux AppStream (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36618: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36331: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:36639: Red Hat Enterprise Linux AppStream (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:27197: Red Hat Hardened Images"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-17T16:01:41.848Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-17T14:04:32.520Z",
                "value": "Made public."
              }
            ],
            "title": "nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "ngx_http_proxy_v2_module",
                "ngx_http_grpc_module"
              ],
              "product": "NGINX Open Source",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "1.31.2",
                  "status": "affected",
                  "version": "1.13.10",
                  "versionType": "custom"
                },
                {
                  "lessThan": "1.30.3",
                  "status": "affected",
                  "version": "1.30.2",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ngx_http_proxy_v2_module",
                "ngx_http_grpc_module"
              ],
              "product": "NGINX Plus",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "37.0.2.1",
                  "status": "affected",
                  "version": "37.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R36 P6",
                  "status": "affected",
                  "version": "R36",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \u7ae0\u9c7c\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
            }
          ],
          "datePublic": "2026-06-17T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ],
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-17T14:04:32.520Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://my.f5.com/manage/s/article/K000161584"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_F5"
          ],
          "title": "NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2026-42055",
        "datePublished": "2026-06-17T14:04:32.520Z",
        "dateReserved": "2026-06-02T21:45:04.818Z",
        "dateUpdated": "2026-07-15T00:58:16.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42946 (GCVE-0-2026-42946)

    Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06
    VLAI
    Title
    NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
    Summary
    A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    • CWE-823 - Use of Out-of-range Pointer Offset
    Assigner
    f5
    References
    URL Tags
    https://my.f5.com/manage/s/article/K000161027 vendor-advisorypatch
    Impacted products
    Vendor Product Version
    F5 NGINX Plus Unaffected: R37 , < * (custom)
    Affected: R36 , < R36 P4 (custom)
    Affected: R32 , < R32 P6 (custom)
    Create a notification for this product.
    F5 NGINX Open Source Unaffected: 1.31.0 , < * (semver)
    Affected: 0.8.42 , < 1.30.1 (semver)
    Create a notification for this product.
    Date Public
    2026-05-13 14:00
    Credits
    F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T15:55:04.864917Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T16:06:56.898Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "modules": [
                "ngx_http_scgi_module and ngx_http_uwsgi_module"
              ],
              "product": "NGINX Plus",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "R37",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R36 P4",
                  "status": "affected",
                  "version": "R36",
                  "versionType": "custom"
                },
                {
                  "lessThan": "R32 P6",
                  "status": "affected",
                  "version": "R32",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "modules": [
                "ngx_http_scgi_module and ngx_http_uwsgi_module"
              ],
              "product": "NGINX Open Source",
              "vendor": "F5",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "1.31.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.30.1",
                  "status": "affected",
                  "version": "0.8.42",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
            }
          ],
          "datePublic": "2026-05-13T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
                }
              ],
              "value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-823",
                  "description": "CWE-823: Use of Out-of-range Pointer Offset",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T14:12:44.697Z",
            "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
            "shortName": "f5"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://my.f5.com/manage/s/article/K000161027"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
          "x_generator": {
            "engine": "F5 SIRTBot v1.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "assignerShortName": "f5",
        "cveId": "CVE-2026-42946",
        "datePublished": "2026-05-13T14:12:44.697Z",
        "dateReserved": "2026-04-30T23:04:27.965Z",
        "dateUpdated": "2026-05-13T16:06:56.898Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }