Skip to main content

NGINX CVE-2026-42946

| EUVDEUVD-2026-30011 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-13 f5 GHSA-fm65-xrrr-c358
8.3
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 13, 2026 - 16:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
May 13, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
May 13, 2026 - 16:22 NVD
6.5 (MEDIUM) 8.3 (HIGH)
Analysis Generated
May 13, 2026 - 16:00 vuln.today
CVE Published
May 13, 2026 - 14:12 nvd
MEDIUM 6.5

DescriptionCVE.org

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.

Technical ContextAI

This vulnerability affects ngx_http_scgi_module and ngx_http_uwsgi_module, which implement NGINX's reverse proxy functionality for SCGI (Simple Common Gateway Interface) and uWSGI application servers. The flaw is classified as CWE-789 (Memory Allocation with Excessive Size Value), indicating improper validation of size parameters when processing upstream responses. When NGINX receives maliciously crafted responses from backend servers via scgi_pass or uwsgi_pass configurations, the modules fail to properly bound memory allocation or read operations. This results in either excessive heap allocation potentially exhausting worker process memory, or out-of-bounds read operations that leak adjacent memory contents. Both NGINX Open Source and the commercial NGINX Plus product are affected across their respective version ranges as indicated by CPE identifiers cpe:2.3:a:f5:nginx_open_source and cpe:2.3:a:f5:nginx_plus. The vulnerability exists in the parsing layer that handles backend protocol responses before forwarding processed data to clients.

RemediationAI

Apply vendor-released patches available from F5 Networks. Consult the official advisory at https://my.f5.com/manage/s/article/K000161027 for exact patched versions corresponding to your NGINX Open Source or NGINX Plus deployment. The advisory provides upgrade paths and specific version numbers that address the memory handling flaws in ngx_http_scgi_module and ngx_http_uwsgi_module. For environments where immediate patching is not feasible, implement network-layer controls to secure the NGINX-to-backend communication path: deploy IPsec tunnels or mutual TLS authentication between NGINX and upstream SCGI/uWSGI servers to prevent MITM attacks (note this adds encryption overhead and configuration complexity). Alternatively, ensure NGINX and backend servers communicate only over dedicated isolated network segments with strict access controls and monitoring for unauthorized devices (requires network architecture changes and may not be practical in cloud environments). Review configurations to identify scgi_pass and uwsgi_pass directives - if these features are unused, consider disabling or removing the modules during NGINX compilation to eliminate attack surface (requires custom build process and testing). Organizations running EoTS versions must prioritize migration to supported releases as those versions remain unpatched.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

CVE-2024-24989 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected

Share

CVE-2026-42946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy