Skip to main content

NGINX CVE-2026-42055

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-17 f5
Nginx Heap Overflow Buffer Overflow Nginx Open Source Nginx Plus
8.1
CVSS 3.1 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Network-reachable and unauthenticated, but AC:H due to three stacked non-default config requirements; availability impact is certain (worker crash) while C/I are Low because code execution requires an additional ASLR bypass.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 15:31 vuln.today
CVE Published
Jun 17, 2026 - 14:04 cve.org
HIGH 8.1

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Articles & Coverage 1

News 4 New Nginx Vulnerabilities - 1 Critical, 3 High Severity Jun 17, 2026

AnalysisAI

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects the ngx_http_proxy_v2_module and ngx_http_grpc_module when proxying HTTP/2 traffic under a specific non-default configuration. A remote unauthenticated attacker sending oversized headers can crash the worker process and, on systems without effective ASLR, potentially achieve code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP/2 or gRPC reverse proxy
Delivery
Probe for oversized-header acceptance
Exploit
Send crafted large-header request
Execution
Trigger heap overflow in worker
Persist
Crash worker or hijack execution
Impact
Code execution if ASLR absent
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target NGINX instance to act as a reverse proxy with HTTP/2 upstream, specifically configured with 'proxy_http_version 2' or the 'grpc_pass' directive, AND with 'ignore_invalid_headers' explicitly set to 'off' (non-default), AND with 'large_client_header_buffers' configured to a size larger than 2 megabytes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 8.1 CVSS rating with AV:N/AC:H/PR:N/UI:N reflects remote unauthenticated reachability tempered by High attack complexity, because exploitation depends on a stacked set of non-default settings (HTTP/2 or gRPC upstream, ignore_invalid_headers off, large_client_header_buffers >2MB) plus, for code execution, a system without effective ASLR. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a public NGINX reverse proxy fronting a gRPC or HTTP/2 backend and probes for the non-default header configuration by sending progressively larger headers. Once the threshold is reached, a crafted request with oversized headers triggers the heap overflow in the worker process, causing repeated worker restarts (denial of service); against a target with ASLR disabled or already-bypassed, the same primitive can be shaped into arbitrary code execution in the worker context. …
Remediation Patch available per vendor advisory - upgrade NGINX Open Source and NGINX Plus to the fixed builds listed in F5 advisory K000161584 (https://my.f5.com/manage/s/article/K000161584); exact released patched versions are not enumerated in the provided intelligence and should be taken directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all NGINX deployments with HTTP/2 proxy modules (ngx_http_proxy_v2_module, ngx_http_grpc_module) enabled and verify system ASLR status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42530 HIGH
8.1 Jun 17

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process
CVE-2026-48142 MEDIUM
4.8 Jun 17

Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memor

Share

CVE-2026-42055 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy