—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in NGINX

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

NGINX Open Source versions from 1.13.10 before 1.31.2, and from 1.31.0 before 1.31.2

NGINX Plus versions from 37.0 before 37.0.2.1, and from R36 before R36 P6

Overview

Multiple vulnerabilities have been reported in NGINX products that could allow a remote attacker to execute arbitrary code, disclose sensitive information, or cause denial-of-service conditions on affected systems.

Target Audience:

Organizations and individuals using affected NGINX products.

Risk Assessment:

High risk of remote code execution, denial of service, and sensitive information disclosure.

Impact Assessment:

Potential for arbitrary code execution, service disruption, information disclosure, and compromise of the affected NGINX server.

Description

NGINX is a high-performance web server, reverse proxy, load balancer, and HTTP cache designed to handle massive, simultaneous connections with low resource usage.

Multiple vulnerabilities have been reported in NGINX products due to use-after-free conditions, heap-based buffer overflows and out-of-bounds read. An unauthenticated attacker could exploit these vulnerabilities by sending specially crafted HTTP requests.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, disclose sensitive information, or cause denial-of-service conditions on affected systems.

Solution

Apply appropriate updates as mentioned:

https://nginx.org/en/download.html

Vendor Information

NGINX

https://nginx.org/2026.html

References

 

https://nginx.org/en/download.html

https://nginx.org/2026.html

CVE Name

CVE-2026-42530

CVE-2026-48142

CVE-2026-42055

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmo782YACgkQ3jCgcSdc

ys+DWQ/+JXccW5dPTG7ao9tPmVDWS0mKSWitNR68CBpplpWXbmK31nI0fpitA+2a

z+uCz6fpPuYWJnxjp2wiXFSgNjHivAl5s+QNsWGjE8g73p5oUBlHo0Rj3cI+lxuW

JRE6xtI39RwFs4AsJ76gOCuQoJ6A8linDpffp/5r4h7xEYx7aHHXKdxMdsMD/+eZ

Ju7nPQGa8MGrD6CUQmbnCFRiWdStThYMkyp+CfyHj9CUmhPscgR7bKWgn/eH9Ck4

IFjERv0dxkeNktgU8+Suv8r0PhbkR8TNirsLcD0jILBhqqKgzl53fQKsPXxo/PtZ

QGWqEiqVW+GgftNugMAhDKoC7xBXlzNhMaRG2D4FCaaiYGHFKbS0yvOTge28vlh0

MdcqNra3U+ihksr5jQ0fHJKwYRkwFBjHLkQ6OoB9W7asLn1c7vOHuXSxz0+d7DlO

MFGSjy9Jrh9JBgWMh+qssIKmpTJPV2mWRAV9h0rz7rvJeFvl6qolMdCZhEeWJyhP

e86xDXwaIn4U6qWKyAQHbDdOCdCOJa/IliWMAURPFkoP7KwMCrk0OdwjlXnuKXJ/

hHzy8rNQzxyN6riKqehUm6mlBc0ohUwKwCiA5q+6/KjpfD12BqE0Sk0E0P8nn56Z

0snzuOPxyrey49kS7ZbE3TEMvbgDKPNDi2+K1uVbKxNke3EdGsE=

=7e70

—–END PGP SIGNATURE—–