Vulnerability-Lookup

OPENSUSE-SU-2026:10796-1

Vulnerability from csaf_opensuse - Published: 2026-05-16 00:00 - Updated: 2026-05-16 00:00

Summary

nginx-1.31.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: nginx-1.31.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the nginx-1.31.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10796

CVE-2026-40460

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-40701

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42926

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42934

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42945

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-42946

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

20 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-40460/	self
https://www.suse.com/security/cve/CVE-2026-40701/	self
https://www.suse.com/security/cve/CVE-2026-42926/	self
https://www.suse.com/security/cve/CVE-2026-42934/	self
https://www.suse.com/security/cve/CVE-2026-42945/	self
https://www.suse.com/security/cve/CVE-2026-42946/	self
https://www.suse.com/security/cve/CVE-2026-40460	external
https://bugzilla.suse.com/1265228	external
https://www.suse.com/security/cve/CVE-2026-40701	external
https://bugzilla.suse.com/1265229	external
https://www.suse.com/security/cve/CVE-2026-42926	external
https://bugzilla.suse.com/1265230	external
https://www.suse.com/security/cve/CVE-2026-42934	external
https://bugzilla.suse.com/1265231	external
https://www.suse.com/security/cve/CVE-2026-42945	external
https://bugzilla.suse.com/1265232	external
https://www.suse.com/security/cve/CVE-2026-42946	external
https://bugzilla.suse.com/1265233	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "nginx-1.31.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the nginx-1.31.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10796",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10796-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40460 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40460/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40701 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40701/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42926 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42926/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42934 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42934/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42945 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42945/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42946 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42946/"
      }
    ],
    "title": "nginx-1.31.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-16T00:00:00Z",
      "generator": {
        "date": "2026-05-16T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10796-1",
      "initial_release_date": "2026-05-16T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-16T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.31.0-1.1.aarch64",
                "product": {
                  "name": "nginx-1.31.0-1.1.aarch64",
                  "product_id": "nginx-1.31.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.31.0-1.1.aarch64",
                "product": {
                  "name": "nginx-source-1.31.0-1.1.aarch64",
                  "product_id": "nginx-source-1.31.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.31.0-1.1.ppc64le",
                "product": {
                  "name": "nginx-1.31.0-1.1.ppc64le",
                  "product_id": "nginx-1.31.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.31.0-1.1.ppc64le",
                "product": {
                  "name": "nginx-source-1.31.0-1.1.ppc64le",
                  "product_id": "nginx-source-1.31.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.31.0-1.1.s390x",
                "product": {
                  "name": "nginx-1.31.0-1.1.s390x",
                  "product_id": "nginx-1.31.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.31.0-1.1.s390x",
                "product": {
                  "name": "nginx-source-1.31.0-1.1.s390x",
                  "product_id": "nginx-source-1.31.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.31.0-1.1.x86_64",
                "product": {
                  "name": "nginx-1.31.0-1.1.x86_64",
                  "product_id": "nginx-1.31.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.31.0-1.1.x86_64",
                "product": {
                  "name": "nginx-source-1.31.0-1.1.x86_64",
                  "product_id": "nginx-source-1.31.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.31.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64"
        },
        "product_reference": "nginx-1.31.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.31.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le"
        },
        "product_reference": "nginx-1.31.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.31.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x"
        },
        "product_reference": "nginx-1.31.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.31.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64"
        },
        "product_reference": "nginx-1.31.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.31.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64"
        },
        "product_reference": "nginx-source-1.31.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.31.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le"
        },
        "product_reference": "nginx-source-1.31.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.31.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x"
        },
        "product_reference": "nginx-source-1.31.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.31.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        },
        "product_reference": "nginx-source-1.31.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40460",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40460"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC  module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.    Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40460",
          "url": "https://www.suse.com/security/cve/CVE-2026-40460"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265228 for CVE-2026-40460",
          "url": "https://bugzilla.suse.com/1265228"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-40460"
    },
    {
      "cve": "CVE-2026-40701",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40701"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module  module when the ssl_verify_client  directive is set to \"on\" or \"optional,\" and the ssl_ocsp  directive is set to \"on\" or the leaf  parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.\n\n\n\n  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40701",
          "url": "https://www.suse.com/security/cve/CVE-2026-40701"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265229 for CVE-2026-40701",
          "url": "https://bugzilla.suse.com/1265229"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-40701"
    },
    {
      "cve": "CVE-2026-42926",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42926"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version  to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42926",
          "url": "https://www.suse.com/security/cve/CVE-2026-42926"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265230 for CVE-2026-42926",
          "url": "https://bugzilla.suse.com/1265230"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42926"
    },
    {
      "cve": "CVE-2026-42934",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42934"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map  and proxy_pass  with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\n\n\n\n  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42934",
          "url": "https://www.suse.com/security/cve/CVE-2026-42934"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265231 for CVE-2026-42934",
          "url": "https://bugzilla.suse.com/1265231"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42934"
    },
    {
      "cve": "CVE-2026-42945",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42945"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module  module. This vulnerability exists when the rewrite  directive is followed by a rewrite, if, or set  directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42945",
          "url": "https://www.suse.com/security/cve/CVE-2026-42945"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265232 for CVE-2026-42945",
          "url": "https://bugzilla.suse.com/1265232"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-42945"
    },
    {
      "cve": "CVE-2026-42946",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42946"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A vulnerability exists in the ngx_http_scgi_module  and ngx_http_uwsgi_module  modules that may result in excessive memory allocation or an over-read of data. When scgi_pass  or uwsgi_pass  is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42946",
          "url": "https://www.suse.com/security/cve/CVE-2026-42946"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265233 for CVE-2026-42946",
          "url": "https://bugzilla.suse.com/1265233"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.31.0-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.31.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42946"
    }
  ]
}

CVE-2026-42926 (GCVE-0-2026-42926)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:16

Title

NGINX ngx_http_proxy_v2_module vulnerability

Summary

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-172 - Encoding Error

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161131	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.29.4 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and 章鱼哥 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:54:52.773305Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:30.263Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_proxy_v2_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.29.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and \u7ae0\u9c7c\u54e5 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Open Source is configured to proxy HTTP/2 traffic by setting \u003c/span\u003e\u003cstrong\u003eproxy_http_version\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to 2, and also uses \u003c/span\u003e\u003cstrong\u003eproxy_set_body\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version\u00a0to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-172",
              "description": "CWE-172 Encoding Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T16:16:54.456Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161131"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_proxy_v2_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42926",
    "datePublished": "2026-05-13T14:12:45.695Z",
    "dateReserved": "2026-05-05T21:19:09.531Z",
    "dateUpdated": "2026-05-13T16:16:54.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42945 (GCVE-0-2026-42945)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-14 18:54

Title

NGINX ngx_http_rewrite_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-122 - Heap-based Buffer Overflow.

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161019	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.6.27 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T03:56:26.480Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:54:21.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://depthfirst.com/nginx-rift"
          },
          {
            "url": "https://github.com/DepthFirstDisclosures/Nginx-Rift"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_rewrite_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_rewrite_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.6.27",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_rewrite_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is followed by a \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003eif\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, or \u003c/span\u003e\u003cstrong\u003eset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module\u00a0module. This vulnerability exists when the rewrite\u00a0directive is followed by a rewrite, if, or set\u00a0directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow.",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:43.971Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161019"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_rewrite_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42945",
    "datePublished": "2026-05-13T14:12:43.971Z",
    "dateReserved": "2026-04-30T23:04:27.955Z",
    "dateUpdated": "2026-05-14T18:54:21.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40701 (GCVE-0-2026-40701)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:07

Title

NGINX ngx_http_ssl_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-416 - Use After Free

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161021	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.19.0 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40701",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:34.604451Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:07:37.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_ssl_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_ssl_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_ssl_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module when the \u003c/span\u003e\u003cstrong\u003essl_verify_client\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to \"on\" or \"optional,\" and the \u003c/span\u003e\u003cstrong\u003essl_ocsp\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to \"on\" or the \u003c/span\u003e\u003cstrong\u003eleaf\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module\u00a0module when the ssl_verify_client\u00a0directive is set to \"on\" or \"optional,\" and the ssl_ocsp\u00a0directive is set to \"on\" or the leaf\u00a0parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.\n\n\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:43.588Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161021"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_ssl_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-40701",
    "datePublished": "2026-05-13T14:12:43.588Z",
    "dateReserved": "2026-04-30T23:04:27.950Z",
    "dateUpdated": "2026-05-13T16:07:37.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42946 (GCVE-0-2026-42946)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06

Title

NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability

Summary

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L

8.3 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-789 - Memory Allocation with Excessive Size Value
CWE-823 - Use of Out-of-range Pointer Offset

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161027	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.8.42 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:04.864917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:56.898Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.8.42",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-823",
              "description": "CWE-823: Use of Out-of-range Pointer Offset",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:44.697Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161027"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42946",
    "datePublished": "2026-05-13T14:12:44.697Z",
    "dateReserved": "2026-04-30T23:04:27.965Z",
    "dateUpdated": "2026-05-13T16:06:56.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42934 (GCVE-0-2026-42934)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:07

Title

NGINX ngx_http_charset_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161028	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 0.3.50 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges David Carlier and Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42934",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:18.483975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:07:10.334Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_charset_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_charset_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.3.50",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges David Carlier and Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_charset_module \u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodule. When \u003c/span\u003e\u003cstrong\u003echarset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003esource_charset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, and \u003c/span\u003e\u003cstrong\u003echarset_map\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003eproxy_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map\u00a0and proxy_pass\u00a0with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\n\n\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:44.331Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161028"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_charset_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42934",
    "datePublished": "2026-05-13T14:12:44.331Z",
    "dateReserved": "2026-04-30T23:04:27.960Z",
    "dateUpdated": "2026-05-13T16:07:10.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40460 (GCVE-0-2026-40460)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06

Title

NGINX ngx_quic_module vulnerability

Summary

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

References

1 reference

URL	Tags
https://my.f5.com/manage/s/article/K000161068	vendor-advisorypatch

Impacted products

2 products

Vendor	Product	Version
F5	NGINX Plus	Unaffected: R37 , < * (custom) Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom)
F5	NGINX Open Source	Unaffected: 1.31.0 , < * (semver) Affected: 1.26.0 , < 1.30.1 (semver)

Date Public ?

2026-05-13 14:00

Credits

F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40460",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:54:59.053463Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:43.631Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_quic_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_quic_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "1.26.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Rodrigo Laneth of Miralium Research for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus or NGINX Open Source are configured to use the \u003c/span\u003e\u003cstrong\u003eHTTP/3 QUIC\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.\u0026nbsp;\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC\u00a0module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:45.291Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161068"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_quic_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-40460",
    "datePublished": "2026-05-13T14:12:45.291Z",
    "dateReserved": "2026-04-30T23:04:27.969Z",
    "dateUpdated": "2026-05-13T16:06:43.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10796-1

CVE-2026-42926 (GCVE-0-2026-42926)

CVE-2026-42945 (GCVE-0-2026-42945)

CVE-2026-40701 (GCVE-0-2026-40701)

CVE-2026-42946 (GCVE-0-2026-42946)

CVE-2026-42934 (GCVE-0-2026-42934)

CVE-2026-40460 (GCVE-0-2026-40460)

Tags

Sightings

Nomenclature