NGINX Plus
CVE-2026-48142
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
AV:N for network-delivered HTTP requests; AC:H for dual stacked prerequisites (non-default config plus content-dependent conditions); C:L and A:L for partial heap leak and worker restart only.
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an NGINX location block explicitly configured with BOTH source_charset utf-8; AND a charset directive specifying a different target encoding (such as charset koi8-r;) simultaneously in the same block - this dual-directive combination is not present in default NGINX configurations and must be deliberately deployed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.8 score with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L accurately characterizes a moderate, conditionally constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies or infers an NGINX endpoint whose location block is configured with both source_charset utf-8 and a differing charset directive, then sends HTTP requests designed to elicit responses whose body content contains specific byte sequences that drive the charset conversion logic past the heap buffer boundary. Success additionally depends on the proxied or served content meeting specific structural conditions at the moment of request - a factor outside the attacker's direct control - meaning repeated requests against suitable endpoints increase the probability of triggering the over-read. … |
| Remediation | Consult F5 advisory K000161585 at https://my.f5.com/manage/s/article/K000161585 for exact patched NGINX Plus and NGINX Open Source version numbers, which were not independently confirmed from the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects the ngx_http_proxy_v2_module and ngx_http_grpc_mo
Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process
Share
External POC / Exploit Code
Leaving vuln.today