Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.



 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in NGINX's ngx_http_charset_module. When the module is configured with the charset, source_charset, and charset_map directives in combination with a proxy_pass that has buffering disabled, an unauthenticated attacker can send crafted HTTP requests that trigger a heap buffer over-read in the NGINX worker process. The over-read may expose portions of memory to the attacker or cause the worker to crash and restart, leading to limited information disclosure or a denial‑of‑service condition. This weakness is a heap buffer over-read (CWE‑125).

Affected Systems

The affected products are F5 NGINX Open Source and F5 NGINX Plus. The advisory does not list specific vulnerable versions; any release that includes the ngx_http_charset_module and is configured with the described directives may be affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity. EPSS information is not available, so the precise likelihood of exploitation is unknown, and the CVE is not listed in the CISA KEV catalog, which suggests that no large‑scale exploitation has been reported. The likely attack vector is inbound HTTP traffic to the vulnerable NGINX instance, requiring no authentication. The impact is limited memory disclosure or a worker restart, which can lead to a disruptive denial‑of‑service if the worker process crashes repeatedly.

Generated by OpenCVE AI on May 13, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NGINX to the latest version that includes a fix for the ngx_http_charset_module buffer over‑read issue; consult the vendor’s security advisories for the patch.
  • If an update is not immediately available, remove or disable the ngx_http_charset_module or the combination of charset, source_charset, charset_map, and proxy_pass directives with buffering set to "off" in the configuration to eliminate the vulnerable code path.
  • Alternatively, enable buffering on the proxy_pass directive (the default) so that the over‑read condition cannot be triggered while preserving functionality.
  • Monitor the server for abnormal restarts or signs of memory exposure and use web application monitoring tools to detect unusual request patterns.

Generated by OpenCVE AI on May 13, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_charset_module vulnerability
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:07:10.334Z

Reserved: 2026-04-30T23:04:27.960Z

Link: CVE-2026-42934

cve-icon Vulnrichment

Updated: 2026-05-13T16:07:05.799Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:49.910

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-42934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses