CVE Catalog

CVE-2026-42055

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
3.55%

88th percentile - higher than 88% of all known CVEs

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. It occurs when proxy_http_version 2 or grpc_pass directives are used for HTTP/2 proxying, ignore_invalid_headers is set to off, and large_client_header_buffers size exceeds 2 MB. A remote unauthenticated attacker can send large headers during upstream request creation, causing a heap-based buffer overflow in the NGINX worker process leading to a restart, and potentially code execution under certain conditions.

Risk Assessment

The risk for the organization includes potential service disruption due to NGINX worker process restarts and, if ASLR is disabled or bypassed, remote code execution that could lead to full server compromise.

Recommendation

Immediately update NGINX to the latest patched version. As a temporary workaround, set ignore_invalid_headers to on or reduce large_client_header_buffers size to 2 MB or less.

Original NVD description (English source)

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS