CVE-2026-48142
Awaiting Analysis Awaiting Analysis - Queue
Heap Buffer Over-Read in NGINX Plus and Open Source

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: F5 Networks

Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-48142
EUVD
EUVD-2026-37719
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nginx nginx_plus *
nginx nginx_open_source *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ngx_http_charset_module of NGINX Plus and NGINX Open Source. It occurs when content is served or proxied through a location block configured with both source_charset set to utf-8 and a charset directive (such as charset koi8-r). Under these conditions, remote, unauthenticated attackers can send specially crafted requests that may cause a heap buffer over-read in the NGINX worker process.

This heap buffer over-read can lead to limited disclosure of memory contents or cause the NGINX worker process to restart.

Impact Analysis

The vulnerability can impact you by allowing remote attackers to cause a heap buffer over-read, which may result in limited disclosure of memory data. This could potentially expose sensitive information stored in memory.

Additionally, the vulnerability can cause the NGINX worker process to restart, leading to potential service disruption or denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart