—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in NGINX

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

NGINX Open Source versions 1.0.0 to 1.29.6

NGINX Open Source versions 1.1.19 to 1.29.6

NGINX Open Source versions 0.5.13 to 0.9.7

NGINX Open Source versions 1.27.2 to 1.29.6

NGINX Open Source versions 0.6.27 to 0.9.7

NGINX Plus R32 – R36

Overview

Multiple vulnerabilities have been reported in NGINX Products which could allow an attacker to execute arbitrary code, cause memory corruption and trigger denial of service (DoS) condition on the targeted system.

Target Audience:

Organizations and individuals running affected versions of NGINX Open Source or NGINX Plus products.

Risk Assessment:

High risk of memory corruption, remote code execution, data manipulation.

Impact Assessment:

Potential for service disruption, memory corruption, unauthorized access.

Description

NGINX is a high-performance web server, reverse proxy, load balancer, and HTTP cache designed to handle massive, simultaneous connections with low resource usage. It acts as a fast, secure intermediary between clients and backend servers, serving static content, managing SSL/TLS encryption, and distributing traffic to optimize speed.

These vulnerabilities exist in NGINX products due to heap-based Buffer Overflow, Integer Overflow or Wraparound, Out-of-bounds Read, NULL Pointer Dereference, Incorrect Authorization, Improper Neutralization of CRLF Sequences.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause memory corruption and trigger denial of service (DoS) condition on the targeted system.

Solution

Apply appropriate security updates as mentioned in the NGINX Security Updates:

https://my.f5.com/manage/s/article/K000160336

Vendor Information

NGINX

https://my.f5.com/manage/s/article/K000160336

References

NGINX

https://my.f5.com/manage/s/article/K000160336

CVE Name

CVE-2026-27654

CVE-2026-27784

CVE-2026-32647

CVE-2026-27651

CVE-2026-28755

CVE-2026-28753

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnOhysACgkQ3jCgcSdc

ys9K5Q/+L974G4xGyQOYe0huf3uDzYC8eXt6jwK/PbsGzwlunyJlbO810050AyZM

38IhMYo2ZaF/41Y3GkUiWUL9jfFwrQd1j8BFb+F0qtWF2UD5rq1/CEFmV7UrjCbK

7j6NmchCSCH7Z527d456NmlYso0fFV5T6FroxmnQF4fiX1IeWPKoHDznEeSQrgGl

lssrVBBV+p8NJjyfisZ0hcU0q0wESZVUJqF1lu9jDgxtxkJAXEjPXzcISmkAY5iF

1XkStsEftaz7M+ai8CAO87fKmYT8f6pY7CWBwtrb+NBmkMgMv1VIH+TjBYSsmJhx

Why9NhTDjeZ8hwOXmTMclc4aYB0LTXHfooxJrhcQYz4jNjtGQWAIMBBFe8jdmc0Y

5QHq3P7M6uo2LJK4VbzI+a2wkuYylxUCpQNU5mn7L/uBYJpAIKcgIEMagTDzkWaA

ZDq5hlLJ6k+USKtylZOBdB4ayBvLwfbCUbvYQnUinQ84lpzUdH3e1GLcX4qbXlO6

2vd3wTJhiTFf7MgHmSWkVCJutlDbSsfduuv9Xv0rcQkXvyvMohHSeylGK7z/SkI4

OGBOnoyaE0NpIhqcSTUTGT+qw3Pg//Ehr1PlapRj6bWRy5w0KnoptRYr9oz3moIZ

IyWAZcaybAVygC8hAyzMHFkBeM08W0DcpPZFm2XRHBhM5YhA5RQ=

=Btwv

—–END PGP SIGNATURE—–