—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

Multiple Vulnerabilities in NGINX Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

    NGINX Open-Source versions 0.3.50 through 1.30.0
    NGINX Plus R32 through R36
    NGINX Instance Manager 2.16.0 through 2.22.0
    F5 WAF for NGINX 5.9.0 through 5.12.1
    NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0
    F5 DoS for NGINX 4.8.0
    NGINX App Protect DoS 4.3.0 through 4.7.0
    NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.6.0
    NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.2

Overview

Multiple vulnerabilities have been reported in NGINX products, which could allow an attacker to execute unauthorized commands, access sensitive information, or cause a denial-of-service condition on the targeted system.

Target Audience:
All organizations and individuals using affected versions of NGINX products.

Risk Assessment:
Risk of remote code execution, information disclosure, unauthorized access, and denial of service.

Impact Assessment:
Potential for information disclosure, memory corruption, unauthorized operations, remote code execution, and service disruption.

Description

NGINX Plus and NGINX Open Source are widely used web server and reverse proxy solutions designed to support high-performance web applications and enterprise services.

1. Heap Buffer Overflow Vulnerability ( CVE-2026-42945   )

A vulnerability in ngx_http_rewrite_module due to improper handling of unnamed PCRE captures with certain rewrite conditions may lead to a heap buffer overflow, causing worker process restart and potential code execution when ASLR is disabled.

2. Information Disclosure Vulnerability ( CVE-2026-42946   )

A vulnerability in ngx_http_scgi_module and ngx_http_uwsgi_module due to improper validation of upstream responses may allow an attacker with MITM capability to trigger excessive memory allocation or buffer over-read, leading to information disclosure or worker process restart.

3. Heap Buffer Over-Read Vulnerability ( CVE-2026-42934   )

A vulnerability in ngx_http_charset_module due to improper memory handling under specific charset and proxy configurations may result in a heap buffer over-read, leading to limited memory disclosure or worker process restart.

4. Heap-Use-After-Free Vulnerability ( CVE-2026-40701   )

A vulnerability in ngx_http_ssl_module due to improper memory handling under specific SSL client verification and OCSP configurations may result in a heap use-after-free condition, leading to limited data modification or worker process restart.

Solution

Apply appropriate updates as mentioned by the vendor:
https://my.f5.com/manage/s/article/K000161019

https://my.f5.com/manage/s/article/K000161027

https://my.f5.com/manage/s/article/K000161028

https://my.f5.com/manage/s/article/K000161021

Vendor Information

NGINX
https://my.f5.com/manage/s/article/K000161019
https://my.f5.com/manage/s/article/K000161027
https://my.f5.com/manage/s/article/K000161028
https://my.f5.com/manage/s/article/K000161021

References

 
https://my.f5.com/manage/s/article/K000161019
https://my.f5.com/manage/s/article/K000161027
https://my.f5.com/manage/s/article/K000161028
https://my.f5.com/manage/s/article/K000161021
https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/

CVE Name
CVE-2026-42945
CVE-2026-42946
CVE-2026-42934
CVE-2026-40701

– — 

Thanks and Regards,
CERT-In

Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQJPBAEBCAA5FiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoJbGQbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAAoJEN4woHEnXMrPMFYP/jHY4VX4i8Mzo6CZEgL8
/iVmsIH1cQOVWKZ/i3rmTuiCqdAS5UGxw2Pijb9l2gRY4gQGHdJZmEyoCQdnzFVp
871A7yNtfRf5ljDpYQZly8xHqnynGv+aKLviIJB99LYqbKvxJR6RCsqhkBjUDGMf
Cn5VMWTFcp1HnTxub1US6RDibR52OBCEiRgz+qCSVb22GFY5RthJ0slJOZSNByO9
Mcj2C/WcEvCMYTR8Z/8KRnic4SQOgcjVTQKxMhvlEMTbAwlrOpE3XBusN2sAwR0y
K+Bk/C+eO7JmO622YJQRUxkk6NUhbd68UrlJYxI7tl8ZOmwOTWMYsH4GZVc5BK5p
So3oOagwYzdfOe0Iqq+3h7FCnT/Zc0Yn3kZI8YD1SHdng7IpXZbCeUrj3whVKUm6
Me5mNdVHz9miN/PNYQw5PlTwtrtD2yHufcA7VfAbrePEjlmi8Af5JV8y0ynh8irE
hCB2QfbQEt4iSBv4nOjlz25w3mc7LFkYstQ7GO2jdTO/lB/ruHqTZkJCywoI15Cy
sCCkwHHXhZPYkNs3CDkmXelVfF514XF+W9ixA+7fOLnNcEuncwosrPv2MFug15ij
89u74+Omn1q3gw0dVAqIClERblI3VVp+IVwigyU13wa9bkWcI2I3hRqU5qCAZASi
JL+Z3Yb6Qb44rbKpqteiT5hl
=3GhC
—–END PGP SIGNATURE—–