CVE-2026-42055
published 2026-06-17CVE-2026-42055: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the…
PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
2.89%
85.1th percentile
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | nginx_open_source | >= 1.13.10 < 1.31.2 | 1.31.2 |
| f5 | nginx_open_source | >= 1.30.2 < 1.30.3 | 1.30.3 |
| f5 | nginx_plus | — | — |
| f5 | nginx_plus | >= 37.0 < 37.0.2.1 | 37.0.2.1 |
| f5 | nginx_plus | >= R36 < R36 P6 | R36 P6 |
| nginx_1.24 | nginx | — | — |
| nginx_1.26 | nginx | — | — |
| ubuntu | nginx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: NGINX configured with proxy_http_version 2 or grpc_pass directives proxying HTTP/2 traffic, ignore_invalid_headers set to off, AND large_client_header_buffers size larger than 2 megabytes — attacker sends large headers during upstream request creation to trigger heap-based buffer overflow in the NGINX worker process ↗
- →Monitor for unexpected NGINX worker process restarts, which are the primary observable symptom of exploitation attempts ↗
- →Code execution risk is elevated on systems with ASLR disabled; prioritize detection and patching on such systems as exploitation is more reliable there ↗
- →Audit NGINX configurations for the dangerous combination: modules ngx_http_proxy_v2_module or ngx_http_grpc_module active, ignore_invalid_headers off, and large_client_header_buffers > 2 MB — all three conditions must be present for exploitability ↗
- ·Vulnerability only exists when ALL THREE non-default conditions are simultaneously present: (1) proxy_http_version 2 or grpc_pass used, (2) ignore_invalid_headers set to off, (3) large_client_header_buffers size larger than 2 MB ↗
- ·Mitigation (without patching): remove the ignore_invalid_headers off directive from the configuration, OR reduce the large_client_header_buffers directive size to 2 megabytes or less; requires NGINX service reload or restart ↗
- ·Default compiler options on Ubuntu affected releases reduce the vulnerability impact to denial of service only (not RCE) ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
vendor_ubuntu4.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
nginx vulnerabilities
vendor_ubuntu·2026-06-22·CVSS 4.8
CVE-2026-48142 [MEDIUM] nginx vulnerabilities
Title: nginx vulnerabilities
Summary: Several security issues were fixed in nginx.
It was discovered that nginx incorrectly handled large headers when
proxying HTTP/2 traffic. A remote attacker could use this issue to cause
nginx to crash, resulting in a denial of service, or possibly execute
arbitrary code. The default compiler options for affected releases should
reduce the vulnerability to a denial of service. (CVE-2026-42055)
It was discovered that nginx incorrectly handled character set conversion
under certain circumstances. A remote attacker could possibly use this
issue to obtain sensitive information or cause nginx to crash, resulting in
a denial of service. (CVE-2026-48142)
Instructions: In general, a standard system update will make all the necessary changes.
F5
CVE-2026-42055: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules
vendor_f5·2026-06-17·CVSS 8.1
CVE-2026-42055 [HIGH] CWE-122 CVE-2026-42055: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules
CVE-2026-42055: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Addr
Red Hat
nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
vendor_redhat·2026-06-17·CVSS 8.1
CVE-2026-42055 [HIGH] CWE-131 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution.
Statement: This issue is classified as Important severity primarily because:
Conditions for Exploitation: A remote, unauthenticated attacker can
GHSA
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules.
ghsa_unreviewed·2026-06-17
CVE-2026-42055 [CRITICAL] CWE-122 NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules.
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of
VulDB
F5 NGINX Open Source/NGINX Plus up to 1.30.2/1.31.1 heap-based overflow (K000161584)
vuldb·2026-06-17
CVE-2026-42055 [CRITICAL] F5 NGINX Open Source/NGINX Plus up to 1.30.2/1.31.1 heap-based overflow (K000161584)
A vulnerability, which was classified as critical, was found in F5 NGINX Open Source and NGINX Plus up to 1.30.2/1.31.1. This issue affects some unknown processing. The manipulation results in heap-based buffer overflow.
This vulnerability is cataloged as CVE-2026-42055. The attack may be launched remotely. There is no exploit available.
You should upgrade the affected component.
CVEList
NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
cvelistv5·2026-06-17·CVSS 8.1
CVE-2026-42055 [HIGH] CWE-122 NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attack
No detection rules found.
No public exploits indexed.
Hackernews
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
blogs_hackernews·2026-06-18
CVE-2026-42530 F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.
The vulnerabilities are listed below -
CVE-2026-42530 (CVSS v4 score: 9.2) - A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Spac
Bleepingcomputer
F5 issues out-of-band patches for critical NGINX vulnerabilities
blogs_bleepingcomputer·2026-06-18
CVE-2026-42530 F5 issues out-of-band patches for critical NGINX vulnerabilities
## F5 issues out-of-band patches for critical NGINX vulnerabilities
## Sergiu Gatlan
Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems.
The two critical vulnerabilities were found in the ngx_http_v3_module ( CVE-2026-42530 ) and the ngx_http_proxy_v2_module and ngx_http_grpc_module ( CVE-2026-42055 ), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations.
Successful exploitation causes a use-after-free or heap-based buffer overflow in the NGINX worker process, leading to a restart. In both cases, they c
Bugzilla
CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers [fedora-all]
bugzilla·2026-06-23
CVE-2026-42055 [HIGH] CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers [fedora-all]
CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
bugzilla·2026-06-17
CVE-2026-42055 [HIGH] CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
CVE-2026-42055 nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Addre
2026-06-17
Published