Heap-Based Buffer Overflow in NGINX Plus and Open Source Web Server
CVE-2026-42055

9.2CRITICAL

Key Information:

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-42055?

The vulnerability in NGINX Plus and NGINX Open Source arises from improper handling of HTTP/2 traffic through the ngx_http_proxy_v2_module and ngx_http_grpc_module. When configured with specific directives, such as proxy_http_version set to 2 and the ignore_invalid_headers directive turned off, an attacker could exploit a design flaw allowing them to craft large headers in upstream requests. This may trigger a heap-based buffer overflow in the NGINX worker process, potentially causing a server restart. Furthermore, in environments where Address Space Layout Randomization (ASLR) is disabled or bypassed, attackers may execute arbitrary code, posing severe security risks.

Affected Version(s)

NGINX Open Source 1.13.10 < 1.31.2

NGINX Open Source 1.30.2 < 1.30.3

NGINX Plus 37.0 < 37.0.2.1

References

https://my.f5.com/manage/s/article/K000161584

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and 章鱼哥 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure."

CVE-2026-42055 Data

JSON