Skip to main content

NGINX Plus and NGINX Open Source CVE-2026-42934

| EUVDEUVD-2026-30008 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-13 f5 GHSA-6vmc-2wh4-77qp
6.3
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
4.8 MEDIUM
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 16:22 NVD
4.8 (MEDIUM) 6.3 (MEDIUM)
Analysis Generated
May 13, 2026 - 15:58 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
MEDIUM 4.8

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).

Technical ContextAI

The ngx_http_charset_module in NGINX handles character set encoding transformations and charset mapping between client requests and upstream responses. The vulnerability is a classic heap buffer over-read (CWE-125) occurring in the charset conversion logic when proxy_pass with disabled buffering ('off') is combined with charset mapping directives. The over-read allows an attacker to read adjacent heap memory beyond the intended buffer boundary. The underlying issue stems from insufficient bounds checking during character encoding operations, particularly when the module must process charset transformations on data flowing through a non-buffered proxy connection. Both NGINX Plus (commercial) and NGINX Open Source are affected, as identified by CPE strings cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:* and cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released patch from F5 (https://my.f5.com/manage/s/article/K000161028) immediately for affected NGINX Plus and NGINX Open Source installations. The patch addresses bounds checking in the ngx_http_charset_module. If patching cannot be immediately deployed, implement compensating controls by removing or disabling the combination of directives that triggers the vulnerability: specifically, comment out or remove charset_map directives and/or disable charset transformation (charset off; source_charset off;) in affected server blocks, OR convert proxy_pass connections to use proxy buffering enabled (remove 'off' flag or set proxy_buffering on;). Disabling buffering may impact performance or caching behavior if proxy_buffering was intentionally disabled for streaming use cases, so test thoroughly before production deployment. Monitor NGINX error logs for worker process crashes (SIGSEGV) which may indicate exploitation attempts or edge cases in the patch.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected

Share

CVE-2026-42934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy