VDB

CVE-2026-42926

CVE-2026-42926 PUBLISHED CVSS 5.800000190734863 MEDIUM

CVE-2026-42945 is a vulnerability in ngx_http_rewrite_module. The vulnerability is present when a ‘rewrite’ directive with an unnamed regex capture (e.g. $1) and a replacement string containing a question mark is followed by another ‘rewrite’, ‘if’ or ‘set’ directive. This is common pattern. An unauthenticated attacker can exploit this by sending a crafted HTTP request, causing a buffer overflow. nginx will incorrectly compute the size of the memory required and write data derived from the attacker provided URI to the heap memory, likely crashing the service and possibly, when executed correctly, leading to remote code execution by the attacker. If patching is not possible yet, a workaround is to rewrite the directives, as exampled in the Depth First article. CVE-2026-42946 is a vulnerability in ngx_http_scgi_module and ngx_http_uwsgi_module. An unauthenticated attacker that manages to man-in-the-middle the responses from an upstream server can read the memory of a nginx worker process or restart it. CVE-2026-40460 is a vulnerability that is exploitable when nginx is configured to use the HTTP/3 QUIC module. An attacker can spoof their source IP, bypassing rate limiting and IP based authorization. CVE-2026-42926 is a vulnerability that is exploitable when nginx is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2 and uses proxy_set_body. In those circumstances, an unauthenticated remote attacker can inject arbitrary HTTP/2 frame headers and payload bytes into the upstream peer. CVE-2026-40701 is a vulnerability in the ngx_http_ssl_module module that is exploitable when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. This allows an unauthenticated attacker to send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This can cause the NGINX worker to restart or lead to limited data modification. CVE-2026-42934 is a vulnerability in ngx_http_charset_module that is exploitable when charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured. In those circumstances, unauthenticated attackers may cause a restart of the nginx worker or disclose memory contents.

EPSS 0.02% · 6.8th percentile

Risk Scores

CVSS v3.1
5.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
EPSS Score
0.02%
6.8th percentile

Affected Products

VendorProductVersions
NginxNGINX Open Source <1.30.1
NginxNGINX Gateway Fabric 1.3.0 - 1.6.2 and 2.0.0 - 2.6.0
NginxNGINX Ingress Controller 3.5.0 - 3.7.2 and 4.0.0 - 4.0.1 and 5.0.0 - 5.4.2
NginxF5 DoS for NGINX 4.8.0
NginxNGINX Instance Manager 2.16.0 - 2.22.0
NginxNGINX App Protect WAF 4.9.0 - 4.16.0 and 5.1.0 - 5.8.0
NginxNGINX App Protect DoS 4.3.0 - 4.7.0
NginxNGINX Plus < 37.0.0 and R32 – R36
NginxF5 WAF for NGINX < 5.13.0

Timeline

  • May 13, 2026 CVE Published
  • May 13, 2026 CVE Updated
  • May 15, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›