CVE-2026-42055 (GCVE-0-2026-42055)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-30 12:08 X_F5
VLAI
Title
NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161584 | vendor-advisory |
| https://access.redhat.com/security/cve/CVE-2026-42055 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489866 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:27197 | vendor-advisoryx_refsource_REDHAT |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.13.10 , < 1.31.2
(custom)
Affected: 1.30.2 , < 1.30.3 (custom) |
|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.2.1
(custom)
Affected: R36 , < R36 P6 (custom) |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
Date Public
2026-06-17 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:57:46.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T14:04:32.520Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:43.973Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42055"
},
{
"name": "RHBZ#2489866",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489866"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27197"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27197: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T16:01:41.848Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T14:04:32.520Z",
"value": "Made public."
}
],
"title": "nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.13.10",
"versionType": "custom"
},
{
"lessThan": "1.30.3",
"status": "affected",
"version": "1.30.2",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.2.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P6",
"status": "affected",
"version": "R36",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \u7ae0\u9c7c\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.520Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161584"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42055",
"datePublished": "2026-06-17T14:04:32.520Z",
"dateReserved": "2026-06-02T21:45:04.818Z",
"dateUpdated": "2026-06-30T12:08:43.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42055",
"date": "2026-07-07",
"epss": "0.02838",
"percentile": "0.84954"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42055\",\"sourceIdentifier\":\"f5sirt@f5.com\",\"published\":\"2026-06-17T15:16:50.353\",\"lastModified\":\"2026-07-02T20:03:31.557\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \\n\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\"}],\"affected\":[{\"source\":\"f5sirt@f5.com\",\"affectedData\":[{\"vendor\":\"F5\",\"product\":\"NGINX Open Source\",\"defaultStatus\":\"unknown\",\"modules\":[\"ngx_http_proxy_v2_module\",\"ngx_http_grpc_module\"],\"versions\":[{\"version\":\"1.13.10\",\"lessThan\":\"1.31.2\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"1.30.2\",\"lessThan\":\"1.30.3\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"F5\",\"product\":\"NGINX Plus\",\"defaultStatus\":\"unaffected\",\"modules\":[\"ngx_http_proxy_v2_module\",\"ngx_http_grpc_module\"],\"versions\":[{\"version\":\"37.0\",\"lessThan\":\"37.0.2.1\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"R36\",\"lessThan\":\"R36 P6\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Hardened Images\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:hummingbird:1\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-17T00:00:00+00:00\",\"id\":\"CVE-2026-42055\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"f5sirt@f5.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-131\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:dos:4.9.0:*:*:*:*:nginx:*:*\",\"matchCriteriaId\":\"DACAC9CB-16D3-4F55-A466-70035779B387\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_app_protect_dos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3.0\",\"versionEndIncluding\":\"4.7.0\",\"matchCriteriaId\":\"4F9DC498-9755-4CFA-9EA5-0009A3EE791F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_app_protect_waf:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0\",\"versionEndIncluding\":\"4.16.0\",\"matchCriteriaId\":\"A70F49F1-8FD2-45E8-8681-27745BDB35B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_app_protect_waf:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.2.0\",\"versionEndIncluding\":\"5.8.0\",\"matchCriteriaId\":\"DD0C5470-172B-4C82-AD8E-0FA0F19F3D15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndIncluding\":\"1.6.2\",\"matchCriteriaId\":\"15B7F1FD-0C49-460F-9CB8-23DA730EC4BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.6.4\",\"matchCriteriaId\":\"8495C4C7-3BFA-49CD-B527-7E1EE9827634\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5.0\",\"versionEndIncluding\":\"3.7.2\",\"matchCriteriaId\":\"10D5B143-4C1E-4626-8B49-3EA7160E9256\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.5.1\",\"matchCriteriaId\":\"965E7D6E-288B-438E-A2A8-A25802E34933\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_ingress_controller:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"896F495E-50C2-4A10-8FE8-F4D0AD52F6FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_ingress_controller:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0ACDA17B-D0AB-46C1-9D58-21DF6ED5479E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.17.0\",\"versionEndIncluding\":\"2.22.0\",\"matchCriteriaId\":\"BCFCE3FC-61E0-4749-8F09-EEB4B09B1218\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.30.0\",\"versionEndExcluding\":\"1.30.3\",\"matchCriteriaId\":\"5C7658CE-370C-4210-8C25-FC2BC48EF785\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_open_source:1.31.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D313995D-43EA-48D8-ABDE-D08D0995509A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"37.0.0\",\"versionEndIncluding\":\"37.0.1\",\"matchCriteriaId\":\"DB9460A8-35D0-45BD-A94F-F4833F6914AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4AAFDD5-EACA-4A96-83D8-4A5A745981C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"96BF2B19-52C7-4051-BA58-CAE6F912B72F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EBEC829-7EED-487E-974D-BBA704DFBF0A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D0648596-D1F5-4A7A-B7F8-104E3AF26317\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"8248517E-D805-4928-8252-2168472341EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D5BB4C0-B862-4CDD-AA54-1BC1BDF27005\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r31:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F5A3A1A-04B0-4365-A84D-7B29F7EF1D9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r31:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"71E1C590-CFCE-4CC8-9A42-3C085D39B3B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"36C4308E-651E-437C-84E7-10C542E3ADC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA913184-EAAD-409E-99C6-AB979DAA93F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"782DF180-1101-4D6A-A1D7-8DADBAF6D9D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB0B11F2-4748-492B-9906-F8C4C5EAFF12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"86B53968-1CCA-4CF3-8454-BB92EF64D10E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"514B0A2A-E2FD-4DB7-B5B8-5C59F1D60AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"46DC49B8-7286-4867-9CDA-1C1B469CD304\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"43477C2E-7485-4146-B25C-F58D632CD85B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"25292797-19EC-446B-BB26-FAC7A280F61D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7453D683-FCA7-46EE-BE49-5FD9A01D7F87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"A977BF9F-D165-4B93-B4D2-A177883A5E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D5FFD66-35C3-41AD-BD77-510E34A3AC6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4958360C-7993-4C82-8685-202D4940CE01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7E5F940-048A-446F-9A1E-074612CEA1AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"862EA47E-8D57-434E-9C8F-238325FB85B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B52C01B-F719-4C72-BB83-7B70EC4BC029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F2211E4-93B9-4F1F-BA32-F5C34B879688\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:nginx_plus:r36:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"284E9DB5-02EB-40E9-9DF3-E8F8144775ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:waf:*:*:*:*:*:nginx:*:*\",\"versionStartIncluding\":\"5.9.0\",\"versionEndIncluding\":\"5.13.1\",\"matchCriteriaId\":\"03FC0AE0-1D26-4002-92DD-1895A38F6382\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:f5:waf:4.8.1:*:*:*:*:nginx:*:*\",\"matchCriteriaId\":\"EDC7D419-A6CD-4490-A456-459BDC9BF658\"}]}]}],\"references\":[{\"url\":\"https://my.f5.com/manage/s/article/K000161584\",\"source\":\"f5sirt@f5.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:27197\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-42055\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2489866\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42055\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-17T15:43:07.643763Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-17T15:43:12.416Z\"}}], \"cna\": {\"tags\": [\"x_F5\"], \"title\": \"NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"\\\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \\u7ae0\\u9c7c\\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\\\"\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"F5\", \"modules\": [\"ngx_http_proxy_v2_module\", \"ngx_http_grpc_module\"], \"product\": \"NGINX Open Source\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.13.10\", \"lessThan\": \"1.31.2\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.30.2\", \"lessThan\": \"1.30.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"F5\", \"modules\": [\"ngx_http_proxy_v2_module\", \"ngx_http_grpc_module\"], \"product\": \"NGINX Plus\", \"versions\": [{\"status\": \"affected\", \"version\": \"37.0\", \"lessThan\": \"37.0.2.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"R36\", \"lessThan\": \"R36 P6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-06-17T14:00:00.000Z\", \"references\": [{\"url\": \"https://my.f5.com/manage/s/article/K000161584\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"F5 SIRTBot v1.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\\u00a0and ngx_http_grpc_module\\u00a0modules. This vulnerability exists when the proxy_http_version to 2\\u00a0or grpc_pass\\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\\u00a0directive is set to off, and the large_client_header_buffers\\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \\n\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \\n\\n\\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122 Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"shortName\": \"f5\", \"dateUpdated\": \"2026-06-17T14:04:32.520Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42055\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-18T03:57:46.697Z\", \"dateReserved\": \"2026-06-02T21:45:04.818Z\", \"assignerOrgId\": \"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab\", \"datePublished\": \"2026-06-17T14:04:32.520Z\", \"assignerShortName\": \"f5\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…