------------------------------------------------------------------------- Debian LTS Advisory DLA-4589-1 [email protected] https://www.debian.org/lts/security/ Carlos Henrique Lima Melara May 18, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : nginx
Version : 1.18.0-6.1+deb11u6
CVE ID : CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654
CVE-2026-27784 CVE-2026-28753 CVE-2026-32647 CVE-2026-40701
CVE-2026-42934 CVE-2026-42945 CVE-2026-42946
Debian Bug : 1111138 1127053
Multiple vulnerabilities were discoverd in Nginx, a high-performance web and
reverse proxy server, which could result in bypass of authorisation rules or
rate limits, denial of service or memory disclosure.
CVE-2025-53859
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that
might allow an unauthenticated attacker to over-read NGINX SMTP
authentication process memory; as a result, the server side may leak
arbitrary bytes sent in a request to the authentication server. This issue
happens during the NGINX SMTP authentication process and requires the
attacker to make preparations against the target system to extract the
leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method
"none," and (3) the authentication server returns the "Auth-Wait" response
header.
CVE-2026-1642
A vulnerability exists in NGINX OSS when configured to proxy to upstream
Transport Layer Security (TLS) servers. An attacker with a
man-in-the-middle (MITM) position on the upstream server side—along with
conditions beyond the attacker's control—may be able to inject plain text
data into the response from an upstream proxied server.
CVE-2026-27651
When the ngx_mail_auth_http_module module is enabled on NGINX Open Source,
undisclosed requests can cause worker processes to terminate. This issue
may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the
authentication server permits retry by returning the Auth-Wait response
header.
CVE-2026-27654
NGINX Open Source has a vulnerability in the ngx_http_dav_module module
that might allow an attacker to trigger a buffer overflow to the NGINX
worker process; this vulnerability may result in termination of the NGINX
worker process or modification of source or destination file names outside
the document root. This issue affects NGINX Open Source when the
configuration file uses DAV module MOVE or COPY methods, prefix location
(nonregular expression location configuration), and alias directives. The
integrity impact is constrained because the NGINX worker process user has
low privileges and does not have access to the entire system.
CVE-2026-27784
The 32-bit implementation of NGINX Open Source has a vulnerability in the
ngx_http_mp4_module module, which might allow an attacker to over-read or
over-write NGINX worker memory resulting in its termination, using a
specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source
if it is built with the ngx_http_mp4_module module and the mp4 directive is
used in the configuration file. Additionally, the attack is possible only
if an attacker can trigger the processing of a specially crafted MP4 file
with the ngx_http_mp4_module module.
CVE-2026-28753
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module module
due to the improper handling of CRLF sequences in DNS responses. This
allows an attacker-controlled DNS server to inject arbitrary headers into
SMTP upstream requests, leading to potential request manipulation.
CVE-2026-32647
NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,
which might allow an attacker to trigger a buffer over-read or over-write
to the NGINX worker memory resulting in its termination or possibly code
execution, using a specially crafted MP4 file. This issue affects NGINX
Open Source if it is built with the ngx_http_mp4_module module and the mp4
directive is used in the configuration file. Additionally, the attack is
possible only if an attacker can trigger the processing of a specially
crafted MP4 file with the ngx_http_mp4_module module.
CVE-2026-40701
NGINX Open Source has a vulnerability in the ngx_http_ssl_module module
when the ssl_verify_client directive is set to "on" or "optional," and the
ssl_ocsp directive is set to "on" or the leaf parameters are configured
with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a
heap-use-after-free error in the NGINX worker process. This vulnerability
may result in limited modification of data or the NGINX worker process
restarting.
CVE-2026-42934
NGINX Open Source has a vulnerability in the ngx_http_charset_module
module. When charset, source_charset, and charset_map and proxy_pass with
disabled buffering ("off") directives are configured, unauthenticated
attackers can send requests that with conditions beyond the attackers'
control to cause a heap buffer over-read in the NGINX worker process,
leading to limited disclosure of memory or a restart.
CVE-2026-42945
NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when the rewrite directive is followed by
a rewrite, if, or set directive and an unnamed Perl-Compatible Regular
Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with
conditions beyond its control can exploit this vulnerability by sending
crafted HTTP requests. This may cause a heap buffer overflow in the NGINX
worker process leading to a restart. Additionally, for systems with Address
Space Layout Randomization (ASLR) disabled, code execution is possible.
CVE-2026-42946
A vulnerability exists in the ngx_http_scgi_module and
ngx_http_uwsgi_module modules that may result in excessive memory
allocation or an over-read of data. When scgi_pass or uwsgi_pass is
configured, an unauthenticated attacker with man-in-the-middle (MITM)
ability to control responses from an upstream server may be able to read
the memory of the NGINX worker process or restart it.
For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u6.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
