Memory Allocation Vulnerability in NGINX Modules by F5 Networks
CVE-2026-42946

8.3HIGH

Key Information:

Vendor: F5
Status: Nginx Plus; Nginx Open Source
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-42946?

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module of NGINX. This issue can lead to excessive memory allocation or unintentional over-read of data. If scgi_pass or uwsgi_pass is utilized, an attacker with the ability to execute man-in-the-middle attacks could exploit this vulnerability. By controlling responses from an upstream server, an unauthenticated attacker might gain access to sensitive data in the memory of the NGINX worker process or cause the process to restart.

Affected Version(s)

NGINX Open Source 0.8.42 < 1.30.1

NGINX Plus R36

NGINX Plus R32

References

https://my.f5.com/manage/s/article/K000161027

vendor-advisorypatch

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-42946 Data

JSON