Heap Buffer Over-read Vulnerability in NGINX Plus and NGINX Open Source
CVE-2026-42934

6.3MEDIUM

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42934?

NGINX Plus and NGINX Open Source contain a vulnerability in the ngx_http_charset_module that can lead to a heap buffer over-read. When specific directives such as charset, source_charset, and charset_map are configured alongside a proxy_pass with disabled buffering, unauthenticated attackers may exploit this setup. This can result in limited disclosure of memory, potentially allowing attackers to gather sensitive information or causing the NGINX worker process to restart unexpectedly.

Affected Version(s)

NGINX Open Source 0.3.50 < 1.30.1

NGINX Plus R36

NGINX Plus R32

References

https://my.f5.com/manage/s/article/K000161028

vendor-advisorypatch

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

F5 acknowledges David Carlier and Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-42934 Data

JSON