Skip to main content

Nginx Open Source CVE-2026-27654

| EUVDEUVD-2026-14881 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-24 f5 GHSA-6r46-2qjx-j5j3
8.8
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14881
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 14:13 nvd
HIGH 8.8

DescriptionCVE.org

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.

Technical ContextAI

This vulnerability affects the WebDAV (Web Distributed Authoring and Versioning) implementation in NGINX's ngx_http_dav_module, specifically impacting both NGINX Open Source (cpe:2.3:a:f5:nginx_open_source) and NGINX Plus (cpe:2.3:a:f5:nginx_plus). The root cause is CWE-122 (Heap-based Buffer Overflow), which occurs when processing MOVE or COPY operations in configurations that combine prefix-based location blocks with alias directives. The buffer overflow can corrupt memory in the NGINX worker process, leading to either process termination or allowing attackers to modify source/destination filenames beyond intended document root boundaries. The vulnerability manifests only in specific configuration scenarios where all three elements are present: DAV methods enabled, prefix location matching, and alias path rewriting.

RemediationAI

Consult the F5 security advisory at https://my.f5.com/manage/s/article/K000160382 for specific patched versions and upgrade immediately to the recommended release for your NGINX Open Source or NGINX Plus deployment. As an interim mitigation while planning upgrades, review NGINX configuration files to identify instances where the ngx_http_dav_module is enabled with MOVE or COPY methods alongside prefix location blocks using alias directives, and either disable DAV methods, convert prefix locations to exact or regex matches, or replace alias directives with root directives where functionally acceptable. Additionally, implement network-level access controls to restrict WebDAV endpoint access to authenticated and authorized clients only, reducing the attack surface until patching is complete.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42530 CRITICAL POC
9.2 Jun 17

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2026-27784 HIGH
8.5 Mar 24

Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite work

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 8 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-27654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy