CVE-2026-42055
Analyzed Analyzed - Analysis Complete

Heap-based Buffer Overflow in NGINX Plus and NGINX Open Source

Vulnerability report for CVE-2026-42055, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-07-02

Assigner: F5 Networks

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-07-02
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 44 associated CPEs
Vendor Product Version / Range
f5 nginx_plus r30
f5 nginx_plus r31
f5 nginx_plus r30
f5 nginx_plus r31
f5 nginx_plus r32
f5 nginx_plus r30
f5 nginx_plus r32
f5 nginx_plus r32
f5 nginx_plus r33
f5 nginx_plus r33
f5 nginx_plus r33
f5 nginx_plus r34
f5 nginx_plus r34
f5 nginx_plus r32
f5 nginx_plus r33
f5 nginx_plus r34
f5 nginx_plus r35
f5 nginx_plus r36
f5 nginx_plus r36
f5 nginx_plus r35
f5 nginx_plus r36
f5 nginx_plus r32
f5 nginx_app_protect_dos From 4.3.0 (inc) to 4.7.0 (inc)
f5 nginx_gateway_fabric From 1.3.0 (inc) to 1.6.2 (inc)
f5 nginx_ingress_controller From 3.5.0 (inc) to 3.7.2 (inc)
f5 dos 4.9.0
f5 nginx_instance_manager From 2.17.0 (inc) to 2.22.0 (inc)
f5 nginx_plus From 37.0.0 (inc) to 37.0.1 (inc)
f5 waf From 5.9.0 (inc) to 5.13.1 (inc)
f5 nginx_gateway_fabric From 2.0.0 (inc) to 2.6.4 (exc)
f5 nginx_ingress_controller From 5.0.0 (inc) to 5.5.1 (exc)
f5 nginx_ingress_controller 4.0.0
f5 nginx_ingress_controller 4.0.1
f5 nginx_app_protect_waf From 4.10.0 (inc) to 4.16.0 (inc)
f5 nginx_app_protect_waf From 5.2.0 (inc) to 5.8.0 (inc)
f5 nginx_open_source From 1.30.0 (inc) to 1.30.3 (exc)
f5 nginx_open_source 1.31.1
f5 nginx_plus r3
f5 nginx_plus r31
f5 nginx_plus r31
f5 nginx_plus r36
f5 nginx_plus r36
f5 nginx_plus r36
f5 waf 4.8.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects NGINX Plus and NGINX Open Source in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. It occurs when HTTP/2 traffic is proxied using the proxy_http_version set to 2 or grpc_pass directives, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes.

Under these conditions, a remote, unauthenticated attacker can send large headers while creating an upstream request, which may cause a heap-based buffer overflow in the NGINX worker process. This can lead to the process restarting and, in some cases, allow attackers to execute code on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.

Impact Analysis

The vulnerability can cause the NGINX worker process to crash and restart due to a heap-based buffer overflow. This can lead to denial of service by disrupting the availability of the web server.

Additionally, if the system has ASLR disabled or if an attacker can bypass ASLR, the vulnerability may allow remote attackers to execute arbitrary code on the affected system, potentially leading to full system compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart