{"id":"CVE-2026-42055","details":"NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","aliases":["BIT-nginx-2026-42055","BIT-nginx-gateway-2026-42055"],"modified":"2026-07-10T04:02:50.966485123Z","published":"2026-06-17T15:16:50.353Z","related":["ALSA-2026:36331","ALSA-2026:36364","ALSA-2026:36618","ALSA-2026:36639","CGA-m5f2-gp9h-4h22","openSUSE-SU-2026:11066-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_RANGE","vendor_product":"f5:nginx_app_protect_dos","cpes":["cpe:2.3:a:f5:nginx_app_protect_dos:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.3.0"},{"last_affected":"4.7.0"}]},{"source":"CPE_RANGE","vendor_product":"f5:nginx_app_protect_waf","cpes":["cpe:2.3:a:f5:nginx_app_protect_waf:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.10.0"},{"last_affected":"4.16.0"},{"introduced":"5.2.0"},{"last_affected":"5.8.0"}]},{"source":"CPE_RANGE","vendor_product":"f5:nginx_instance_manager","cpes":["cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"2.17.0"},{"last_affected":"2.22.0"}]},{"source":"CPE_RANGE","vendor_product":"f5:nginx_plus","cpes":["cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"37.0.0"},{"last_affected":"37.0.1"}]},{"source":"CPE_RANGE","vendor_product":"f5:waf","cpes":["cpe:2.3:a:f5:waf:*:*:*:*:*:nginx:*:*"],"extracted_events":[{"introduced":"5.9.0"},{"last_affected":"5.13.1"}]},{"source":"CPE_STRING","vendor_product":"f5:dos","cpes":["cpe:2.3:a:f5:dos:4.9.0:*:*:*:*:nginx:*:*"],"extracted_events":[{"introduced":"4.9.0"},{"last_affected":"4.9.0"}]},{"source":"CPE_STRING","vendor_product":"f5:nginx_ingress_controller","cpes":["cpe:2.3:a:f5:nginx_ingress_controller:4.0.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"4.0.0"},{"last_affected":"4.0.0"}]},{"source":"CPE_STRING","vendor_product":"f5:nginx_plus","cpes":["cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r31:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r31:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:-:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p4:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p5:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r3:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"r3"},{"last_affected":"r3"},{"introduced":"r30-NA"},{"last_affected":"r30-NA"},{"introduced":"r30-p1"},{"last_affected":"r30-p1"},{"introduced":"r30-p2"},{"last_affected":"r30-p2"},{"introduced":"r31-NA"},{"last_affected":"r31-NA"},{"introduced":"r31-p1"},{"last_affected":"r31-p1"},{"introduced":"r31-p2"},{"last_affected":"r31-p2"},{"introduced":"r31-p3"},{"last_affected":"r31-p3"},{"introduced":"r32-NA"},{"last_affected":"r32-NA"},{"introduced":"r32-p1"},{"last_affected":"r32-p1"},{"introduced":"r32-p2"},{"last_affected":"r32-p2"},{"introduced":"r32-p3"},{"last_affected":"r32-p3"},{"introduced":"r32-p4"},{"last_affected":"r32-p4"},{"introduced":"r33-NA"},{"last_affected":"r33-NA"},{"introduced":"r33-p1"},{"last_affected":"r33-p1"},{"introduced":"r33-p2"},{"last_affected":"r33-p2"},{"introduced":"r33-p3"},{"last_affected":"r33-p3"},{"introduced":"r34-NA"},{"last_affected":"r34-NA"},{"introduced":"r34-p1"},{"last_affected":"r34-p1"},{"introduced":"r34-p2"},{"last_affected":"r34-p2"},{"introduced":"r35-NA"},{"last_affected":"r35-NA"},{"introduced":"r35-p1"},{"last_affected":"r35-p1"},{"introduced":"r36-NA"},{"last_affected":"r36-NA"},{"introduced":"r36-p1"},{"last_affected":"r36-p1"},{"introduced":"r36-p2"},{"last_affected":"r36-p2"},{"introduced":"r36-p3"},{"last_affected":"r36-p3"},{"introduced":"r36-p4"},{"last_affected":"r36-p4"},{"introduced":"r36-p5"},{"last_affected":"r36-p5"}]},{"source":"CPE_STRING","vendor_product":"f5:waf","cpes":["cpe:2.3:a:f5:waf:4.8.1:*:*:*:*:nginx:*:*"],"extracted_events":[{"introduced":"4.8.1"},{"last_affected":"4.8.1"}]}]},"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27197"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36331"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36364"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36618"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-42055"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489866"},{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000161584"},{"type":"ADVISORY","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/kubernetes-ingress","events":[{"introduced":"33971b8ff54bc55785a7b38c07a21e03bda25080"},{"last_affected":"561824f3077b7615c2fa764bd6d8e7a47e184857"},{"introduced":"8dfabca757830d0821e86206c2db83044e6696f0"},{"fixed":"814710cbaf43c9a37baed249feec0db5f0868fa9"},{"introduced":"81bae7d0360fdf277b2d3e355d02e410ee211ef8"},{"last_affected":"43349033e28d0b6aa38773ff840deba079654a4f"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_ingress_controller:4.0.0:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_ingress_controller:4.0.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.5.0"},{"last_affected":"3.7.2"},{"introduced":"5.0.0"},{"fixed":"5.5.1"},{"introduced":"4.0.0"},{"last_affected":"4.0.0"},{"introduced":"4.0.1"},{"last_affected":"4.0.1"}]}}],"versions":["4.0.0","4.0.1","v4.0.1","v4.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42055.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"6e14e954aaacce9a433d9b07b4653809c7594ab8"},{"fixed":"47c3628d23efaa1bfb1a32afbe9e3d013f860c2c"},{"introduced":"d44205284fa41662da803b796d6056fc1e59b1f3"},{"last_affected":"d44205284fa41662da803b796d6056fc1e59b1f3"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_open_source:1.31.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"1.30.0"},{"fixed":"1.30.3"},{"introduced":"1.31.1"},{"last_affected":"1.31.1"}]}}],"versions":["1.31.1","release-1.30.2","release-1.31.1","release-1.30.1","release-1.30.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42055.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx-gateway-fabric","events":[{"introduced":"3a372747333fb1db372af7cf0b18ed7eef7c91f7"},{"last_affected":"532db6a20b2912fe397211eef9f8d564d46a4bdd"},{"introduced":"7dad8b31e3f0c3eadce36fed8c276e83e6583d24"},{"fixed":"66691213cd771fe56b124786ea6701c7fb8e467a"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.3.0"},{"last_affected":"1.6.2"},{"introduced":"2.0.0"},{"fixed":"2.6.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42055.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}