Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-06-17
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NGINX Plus and NGINX Open Source exhibit a heap buffer over-read in the ngx_http_charset_module when a location block contains both a source_charset utf-8 directive and another charset directive such as charset koi8-r. Remote, unauthenticated attackers can craft HTTP requests that trigger this condition, allowing them to read portions of the worker process memory or cause the process to restart. The attack does not require authentication and leverages an existing server configuration flaw, but it relies on the attacker being able to send requests to the affected location and to configure conflicting charset settings in the server.

Affected Systems

Both F5 NGINX Open Source and F5 NGINX Plus are affected. The vulnerability is present in any supported release of these products; specific vulnerable version ranges were not provided, and releases that have reached End of Technical Support are not evaluated.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the EPSS score of less than 1 % implies that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. Exploitability is remote, triggered by HTTP requests to a location block with conflicting charset directives, and requires no credentials or privileged access. Attackers could achieve memory disclosure, potentially exposing sensitive information, or cause denial‑of‑service by restarting the NGINX worker process.

Generated by OpenCVE AI on June 18, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official NGINX patch or upgrade to a version where the ngx_http_charset_module vulnerability is fixed.
  • Reconfigure the server to avoid using both source_charset and charset directives in the same location block, thereby eliminating the configuration that triggers the over‑read.
  • Restrict external access to the NGINX service so only trusted networks can send requests, reducing the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4660-1 nginx security update
Debian DLA Debian DLA DLA-4667-1 nginx security update
Debian DSA Debian DSA DSA-6374-1 nginx security update
Ubuntu USN Ubuntu USN USN-8458-1 nginx vulnerabilities
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_charset_module vulnerability
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-17T15:42:56.704Z

Reserved: 2026-06-02T21:45:04.856Z

Link: CVE-2026-48142

cve-icon Vulnrichment

Updated: 2026-06-17T15:42:53.164Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T14:04:32Z

Links: CVE-2026-48142 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:15Z

Weaknesses