CVE-2026-42055
Awaiting Analysis Awaiting Analysis - Queue
Heap-based Buffer Overflow in NGINX Plus and NGINX Open Source

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: F5 Networks

Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-42055
EUVD
EUVD-2026-37718
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nginx nginx_plus *
nginx nginx_open_source *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects NGINX Plus and NGINX Open Source in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. It occurs when HTTP/2 traffic is proxied using the proxy_http_version set to 2 or grpc_pass directives, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes.

Under these conditions, a remote, unauthenticated attacker can send large headers while creating an upstream request, which may cause a heap-based buffer overflow in the NGINX worker process. This can lead to the process restarting and, in some cases, allow attackers to execute code on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.

Impact Analysis

The vulnerability can cause the NGINX worker process to crash and restart due to a heap-based buffer overflow. This can lead to denial of service by disrupting the availability of the web server.

Additionally, if the system has ASLR disabled or if an attacker can bypass ASLR, the vulnerability may allow remote attackers to execute arbitrary code on the affected system, potentially leading to full system compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart