Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-06-17
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap-based buffer overflow that occurs in the NGINX proxy modules when redirecting HTTP/2 traffic. A remote attacker can send oversized HTTP headers while an upstream request is being created if the configuration enables proxy_http_version 2 or grpc_pass, the ignore_invalid_headers directive is off, and the large_client_header_buffers size exceeds two megabytes. The overflow can cause the worker process to crash and restart, and under conditions where Address Space Layout Randomization is disabled or bypassed, can allow arbitrary code execution on the host.

Affected Systems

This flaw affects the F5 NGINX Open Source and F5 NGINX Plus products. The specific product versions that are vulnerable are not listed, but any install that is still receiving support and meets the configuration conditions described in the advisory is at risk. End‑of‑support releases are not evaluated by the advisory.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity vulnerability, yet the EPSS score of less than 1% suggests a low probability of exploitation on the current date. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote network access to the NGINX server, requiring an ability to send configured HTTP/2 requests with large headers. Successful exploitation could lead to denial of service through worker crashes or, if ASLR is disabled, remote code execution. The attacker can achieve this without authentication but only under the configuration conditions noted above.

Generated by OpenCVE AI on June 18, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported version of NGINX where the proxy modules are fixed
  • Configure large_client_header_buffers to a value of 2 MB or less
  • Ensure ignore_invalid_headers is set to on for any proxy_http_version 2 or grpc_pass usage
  • Disable or remove unused HTTP/2 or gRPC proxy directives if possible

Generated by OpenCVE AI on June 18, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-18T03:57:46.697Z

Reserved: 2026-06-02T21:45:04.818Z

Link: CVE-2026-42055

cve-icon Vulnrichment

Updated: 2026-06-17T15:43:12.416Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:15Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow