cbcvebase.
CVE-2026-42055
published 2026-06-17

CVE-2026-42055: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the…

PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.89%
85.1th percentile
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected

8 ranges
VendorProductVersion rangeFixed in
f5nginx_open_source>= 1.13.10 < 1.31.21.31.2
f5nginx_open_source>= 1.30.2 < 1.30.31.30.3
f5nginx_plus
f5nginx_plus>= 37.0 < 37.0.2.137.0.2.1
f5nginx_plus>= R36 < R36 P6R36 P6
nginx_1.24nginx
nginx_1.26nginx
ubuntunginx

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: NGINX configured with proxy_http_version 2 or grpc_pass directives proxying HTTP/2 traffic, ignore_invalid_headers set to off, AND large_client_header_buffers size larger than 2 megabytes — attacker sends large headers during upstream request creation to trigger heap-based buffer overflow in the NGINX worker process
  • Monitor for unexpected NGINX worker process restarts, which are the primary observable symptom of exploitation attempts
  • Code execution risk is elevated on systems with ASLR disabled; prioritize detection and patching on such systems as exploitation is more reliable there
  • Audit NGINX configurations for the dangerous combination: modules ngx_http_proxy_v2_module or ngx_http_grpc_module active, ignore_invalid_headers off, and large_client_header_buffers > 2 MB — all three conditions must be present for exploitability
  • ·Vulnerability only exists when ALL THREE non-default conditions are simultaneously present: (1) proxy_http_version 2 or grpc_pass used, (2) ignore_invalid_headers set to off, (3) large_client_header_buffers size larger than 2 MB
  • ·Mitigation (without patching): remove the ignore_invalid_headers off directive from the configuration, OR reduce the large_client_header_buffers directive size to 2 megabytes or less; requires NGINX service reload or restart
  • ·Default compiler options on Ubuntu affected releases reduce the vulnerability impact to denial of service only (not RCE)

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
vendor_ubuntu4.8MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.