CVE-2026-40701 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-40701 PUBLISHED CVSS 4.800000190734863 MEDIUM

CVE-2026-42945 is a vulnerability in ngx_http_rewrite_module. The vulnerability is present when a ‘rewrite’ directive with an unnamed regex capture (e.g. $1) and a replacement string containing a question mark is followed by another ‘rewrite’, ‘if’ or ‘set’ directive. This is common pattern. An unauthenticated attacker can exploit this by sending a crafted HTTP request, causing a buffer overflow. nginx will incorrectly compute the size of the memory required and write data derived from the attacker provided URI to the heap memory, likely crashing the service and possibly, when executed correctly, leading to remote code execution by the attacker. If patching is not possible yet, a workaround is to rewrite the directives, as exampled in the Depth First article. CVE-2026-42946 is a vulnerability in ngx_http_scgi_module and ngx_http_uwsgi_module. An unauthenticated attacker that manages to man-in-the-middle the responses from an upstream server can read the memory of a nginx worker process or restart it. CVE-2026-40460 is a vulnerability that is exploitable when nginx is configured to use the HTTP/3 QUIC module. An attacker can spoof their source IP, bypassing rate limiting and IP based authorization. CVE-2026-42926 is a vulnerability that is exploitable when nginx is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2 and uses proxy_set_body. In those circumstances, an unauthenticated remote attacker can inject arbitrary HTTP/2 frame headers and payload bytes into the upstream peer. CVE-2026-40701 is a vulnerability in the ngx_http_ssl_module module that is exploitable when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. This allows an unauthenticated attacker to send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This can cause the NGINX worker to restart or lead to limited data modification. CVE-2026-42934 is a vulnerability in ngx_http_charset_module that is exploitable when charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured. In those circumstances, unauthenticated attackers may cause a restart of the nginx worker or disclose memory contents.

Risk Scores

CVSS v3.1

4.800000190734863

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected Products

Vendor	Product	Versions
Nginx	NGINX Instance Manager 2.16.0 - 2.22.0
Nginx	NGINX Plus < 37.0.0 and R32 – R36
Nginx	NGINX Ingress Controller 3.5.0 - 3.7.2 and 4.0.0 - 4.0.1 and 5.0.0 - 5.4.2
Nginx	NGINX App Protect DoS 4.3.0 - 4.7.0
Nginx	F5 WAF for NGINX < 5.13.0
Nginx	NGINX App Protect WAF 4.9.0 - 4.16.0 and 5.1.0 - 5.8.0
Nginx	NGINX Open Source <1.30.1
Nginx	NGINX Gateway Fabric 1.3.0 - 1.6.2 and 2.0.0 - 2.6.0
Nginx	F5 DoS for NGINX 4.8.0

Timeline

May 13, 2026 CVE Published
May 13, 2026 CVE Updated
May 14, 2026 PoC Published
May 15, 2026 Security Advisory

References

https://ccb.belgium.be/advisories/warning-multiple-vulnerabilities-nginx-leading-remote-code-execution-and-allowing-rate advisory
https://depthfirst.com/nginx-rift vendor
https://my.f5.com/manage/s/article/K000161019 vendor
https://my.f5.com/manage/s/article/K000161027 vendor
https://my.f5.com/manage/s/article/K000161131 vendor
https://my.f5.com/manage/s/article/K000161068 vendor
https://my.f5.com/manage/s/article/K000161021 vendor
https://my.f5.com/manage/s/article/K000161028 vendor
https://nvd.nist.gov/vuln/detail/CVE-2026-42945 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-42946 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-42926 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-40460 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-40701 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-42934 technical

Open in Interactive Console →