Heap Buffer Over-read in NGINX Plus and Open Source Due to Charset Misconfiguration
CVE-2026-48142

6.3MEDIUM

Key Information:

Vendor: F5
Status: Nginx Open Source; Nginx Plus
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-48142?

A vulnerability exists in the ngx_http_charset_module of NGINX Plus and NGINX Open Source, where incorrect charset configurations can lead to a heap buffer over-read. If a location block is set with 'source_charset utf-8;' and another charset directive, attackers can exploit conditions to send specific requests, potentially revealing sensitive memory content or causing NGINX processes to restart unexpectedly. This misconfiguration presents a security risk, allowing unauthorized parties to disrupt services and gain limited access to server memory.

Affected Version(s)

NGINX Open Source 1.13.10 < 1.31.2

NGINX Open Source 1.30.0 < 1.30.3

NGINX Plus 37.0 < 37.0.2.1

References

https://my.f5.com/manage/s/article/K000161585

vendor-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

"F5 acknowledges p4p3r of CYBERONE and Han Yan of Xiaomi for bringing this issue to our attention and following the highest standards of coordinated disclosure."

CVE-2026-48142 Data

JSON