A heap memory buffer overflow might occur in a worker process when using a configuration with "ignore_invalid_headers off;" and "large_client_header_buffers" with large configured values when proxying a specially crafted request to gRPC backend, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process.
This is a partial cherry-pick of 131be8514da8985b15b74150521afedbf9cc4ea3 since ngx_http_proxy_v2_module.c does not exist in nginx 1.24 Signed-off-by: Benjamin Robin (Schneider Electric) <[email protected]> --- .../recipes-httpd/nginx/files/CVE-2026-42055.patch | 102 +++++++++++++++++++++ meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 103 insertions(+) diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch new file mode 100644 index 000000000000..5bb8e94063cd --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch @@ -0,0 +1,102 @@ +From 2782212e79ea4d1bdd4ab0f13ac24555a5ebbc0c Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <[email protected]> +Date: Tue, 2 Jun 2026 19:37:17 +0400 +Subject: [PATCH] Upstream: limit header length for HTTP/2 and gRPC + +The change applies the HTTP/2 header length limits to avoid buffer +overflow. See 58a7bc3406ac for details. + +Reported by Mufeed VH of Winfunc Research. + +CVE: CVE-2026-42055 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3] +Signed-off-by: Benjamin Robin <[email protected]> +--- + src/http/modules/ngx_http_grpc_module.c | 44 +++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c +index dfe49c58618c..f7473b11aa3e 100644 +--- a/src/http/modules/ngx_http_grpc_module.c ++++ b/src/http/modules/ngx_http_grpc_module.c +@@ -740,6 +740,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + tmp_len = 0; + + } else { ++ if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 method: \"%V\"", &r->method_name); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len; + tmp_len = r->method_name.len; + } +@@ -760,6 +766,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len; + } + ++ if (uri_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 URI"); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len; + + if (tmp_len < uri_len) { +@@ -769,6 +781,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + /* :authority header */ + + if (!glcf->host_set) { ++ if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 host: \"%V\"", &ctx->host); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len; + + if (tmp_len < ctx->host.len) { +@@ -799,6 +817,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + continue; + } + ++ if (key_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header name"); ++ return NGX_ERROR; ++ } ++ ++ if (val_len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header value"); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len + + NGX_HTTP_V2_INT_OCTETS + val_len; + +@@ -833,6 +863,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r) + continue; + } + ++ if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header name: \"%V\"", ++ &header[i].key); ++ return NGX_ERROR; ++ } ++ ++ if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "too long http2 header value: \"%V: %V\"", ++ &header[i].key, &header[i].value); ++ return NGX_ERROR; ++ } ++ + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; + +-- +2.54.0 diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index dee6c6618e37..e407c1d083bc 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -15,6 +15,7 @@ SRC_URI:append = " \ file://CVE-2026-42946-01.patch \ file://CVE-2026-42946-02.patch \ file://CVE-2026-9256.patch \ + file://CVE-2026-42055.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" --- base-commit: b0c2c648a1af89e7a8dd4c2ec841f3bc0ed0ccb9 change-id: 20260701-nginx-cve-2026-42055-4199c305f4a8 Best regards, -- Benjamin Robin (Schneider Electric) <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127992): https://lists.openembedded.org/g/openembedded-devel/message/127992 Mute This Topic: https://lists.openembedded.org/mt/120062149/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
