Source: nginx Version: 1.30.1-4 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nginx. CVE-2026-42055[0]: | NGINX Plus and NGINX Open Source have a vulnerability in the | ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This | vulnerability exists when the proxy_http_version to 2 or | grpc_pass directives are used to proxy HTTP/2 traffic, the | ignore_invalid_headers directive is set to off, and the | large_client_header_buffers directive size is larger than 2 | megabytes. A remote, unauthenticated attacker, along with conditions | beyond their control, could send large headers while creating an | upstream request. This may cause a heap-based buffer overflow in the | NGINX worker process leading to a restart. Additionally, attackers | can execute code on systems with Address Space Layout Randomization | (ASLR) disabled or when the attacker can bypass ASLR. Note: | Software versions which have reached End of Technical Support (EoTS) | are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-42055 https://www.cve.org/CVERecord?id=CVE-2026-42055 [1] https://my.f5.com/manage/s/article/K000161584 [2] https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
