Skip to main content

NGINX Plus and NGINX Open Source CVE-2026-40701

| EUVDEUVD-2026-29981 MEDIUM
Use After Free (CWE-416)
2026-05-13 f5 GHSA-x88q-x2r7-vg3g
6.3
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
4.8 MEDIUM
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 16:22 NVD
4.8 (MEDIUM) 6.3 (MEDIUM)
Analysis Generated
May 13, 2026 - 15:58 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
MEDIUM 4.8

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the ngx_http_ssl_module, which handles TLS/SSL processing in NGINX. When OCSP (Online Certificate Status Protocol) validation is enabled via the ssl_ocsp directive with a resolver configured, and client certificate verification is active (ssl_verify_client 'on' or 'optional'), a use-after-free condition (CWE-416) occurs in heap memory management during request handling. The flaw stems from improper lifecycle management of memory objects after OCSP stapling or client certificate verification operations, allowing an attacker to trigger access to freed memory regions. The attack does not require authentication, as the vulnerability is exposed at the TLS handshake or early request processing stage before application-level authentication.

RemediationAI

Apply the vendor-released patch from F5 for NGINX Plus and NGINX Open Source as documented in advisory K000161021 (https://my.f5.com/manage/s/article/K000161021). Exact patched versions are available in the F5 advisory. Immediate workaround for organizations unable to patch: disable the ssl_ocsp directive (set ssl_ocsp off) or remove resolver configuration from ssl_ocsp parameters, which eliminates the vulnerable code path while preserving client certificate verification if ssl_verify_client remains configured. Alternative workaround: restrict access to the affected NGINX instance via network ACLs or WAF rules to reduce attack surface, though this does not eliminate the vulnerability. Note that disabling OCSP validation may impact compliance requirements for real-time certificate status validation in regulated environments. Upgrade to patched versions as soon as possible after validation in lower environments.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected

Share

CVE-2026-40701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy