AI description
CVE-2026-42055 is a vulnerability affecting NGINX Plus and NGINX Open Source, specifically within the `ngx_http_proxy_v2_module` and `ngx_http_grpc_module` modules. This flaw occurs under a specific set of non-default configurations: when `proxy_http_version` is set to 2 or `grpc_pass` directives are used for proxying HTTP/2 traffic, the `ignore_invalid_headers` directive is set to `off`, and the `large_client_header_buffers` directive size exceeds 2 megabytes. Under these conditions, a remote, unauthenticated attacker can send large headers while creating an upstream request. This action can trigger a heap-based buffer overflow within the NGINX worker process, potentially leading to a restart of the process. Additionally, attackers may be able to execute code on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.
- Description
- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- Source
- f5sirt@f5.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- f5sirt@f5.com
- CWE-122
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
14
F5 has released patches for two critical vulnerabilities in NGINX Open Source, CVE-2026-42530 and CVE-2026-42055, both with a CVSS v4 score of 9.2. These flaws could allow remote code execution on affected systems. Administrators are urged to apply the updates promptly to secure
@dailytechonx
18 Jun 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Two critical NGINX flaws can lead to remote code execution. F5 has patched: • CVE-2026-42530 (HTTP/3 use-after-free) • CVE-2026-42055 (HTTP/2 heap buffer overflow) Both require specific configurations and ASLR bypass conditions. Details here → https://t.co/x1251rhB3
@TheHackersNews
18 Jun 2026
8280 Impressions
22 Retweets
60 Likes
21 Bookmarks
0 Replies
4 Quotes
قابل توجه ادمین های وب سرور Nginx : برای وب سرور Nginx ، دو آسیب پذیری با کدهای شناسایی CVE-2026-42530 و CVE-2026-42055 منتشر شده است . این آسیب پذیری ها از نوع RCE و DOS می باشند ک
@EthicalSafe
18 Jun 2026
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution: F5 released emergency updates for critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) that could enable unauthenticated code execution. F5 has issued out-of-band patches… https://t.co/Egh8TpmJV
@shah_sheikh
18 Jun 2026
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Edge patch watch: F5 released out-of-band updates for NGINX flaws including CVE-2026-42530 and CVE-2026-42055. SecurityWeek says unauthenticated remote attackers can trigger DoS, with code execution possible in some conditions. #NGINX #Cyber https://t.co/6blR5xlopn
@Divinmentis
18 Jun 2026
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
NGINXなどF5製品群で複数の脆弱性。 High CVEsは以下4件 CVE-2026-42530 CVE-2026-42055 CVE-2026-11311 CVE-2026-50107 K000161614: Out-of-band Security Notification (June 17, 2026) https://t.co/cu9fv9gL8u
@autumn_good_35
18 Jun 2026
208 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Nginx 1.31.2 yayınlandı. Öne çıkan yamalar: • HTTP/3 + QUIC tarafında use-after-free açığı (CVE-2026-42530) • HTTP/2/gRPC proxy senaryolarında heap overflow riski (CVE-2026-42055) • charset_map UTF-8 işleme kaynaklı memory overread (CVE-2026-48142) Mutl
@ridvanyagli
18 Jun 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NGINX CVE-2026-42530 & CVE-2026-42055: F5 Critical Patches F5 released out-of-band patches on June 18, 2026 for four NGINX flaws, including two CVSS… Read more: https://t.co/0exuxzle00 #Nginx #F5 #Cve #RemoteCodeExecution
@navanem
18 Jun 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 F5 issues emergency patches for two critical NGINX vulnerabilities that could let unauthenticated attackers crash servers or execute code 🔹 CVE-2026-42530 & CVE-2026-42055 affect NGINX Plus, Open Source, Gateway Fabric & Instance Manager 🔹 No active exploitati
@techepages
18 Jun 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#nginx 1.30.3 で CVE-2026-42055 と CVE-2026-48142 がfix か https://t.co/JC5hKJkY1X
@stuons
17 Jun 2026
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2026-06-17 nginx-1.30.3 stable and nginx-1.31.2 mainline versions have been released, (CVE-2026-42530),(CVE-2026-48142),(CVE-2026-42055), fix https://t.co/7HtZYwRWiH
@hacker_infra
17 Jun 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
nginx 1.30.3 and 1.31.2 released to fix CVE-2026-42055, CVE-2026-48142 and CVE-2026-42530 https://t.co/8dCg0h930B
@jedisct1
17 Jun 2026
681 Impressions
2 Retweets
10 Likes
0 Bookmarks
0 Replies
1 Quote