[Bug 2156040] Re: nginx 1.24.0-2ubuntu7.10 (noble): ABI change in CVE-2026-49975 fix not reflected in nginx-abi, crashing third-party modules

Nemanja Tue, 09 Jun 2026 04:30:44 -0700

*** This bug is a duplicate of bug 2155992 ***
    https://bugs.launchpad.net/bugs/2155992


** Description changed:

  Affected: nginx 1.24.0-2ubuntu7.10, Ubuntu 24.04 LTS (noble), amd64.
  Introduced by USN-8398-1 / CVE-2026-49975. Last known-good: 1.24.0-2ubuntu7.9.
  
  Summary:
  The CVE-2026-49975 fix added a `max_headers` field to core request/config
  structs (ngx_http_request.h, ngx_http_core_module.h; it also touches
  src/http/v2/ngx_http_v2.c). This changes the module ABI, but the
  `nginx-abi-1.24.0-1` virtual package was NOT bumped. Because the ABI version
  is unchanged, nginx-abi-dependent third-party module packages were not
  rebuilt and remain binary-incompatible with the new core. The in-tree module
  packages (image-filter, perl, xslt, etc.) rebuilt with the source and are
  fine; out-of-tree universe modules did not.
  
  Impact:
  Any noble host running a universe/third-party nginx dynamic module is broken
  after this update. Workers segfault on essentially every request, taking the
  site down. Confirmed with libnginx-mod-http-headers-more-filter 0.37-2build1.
  
  Steps to reproduce:
  1. noble host with libnginx-mod-http-headers-more-filter loaded
-    (load_module .../ngx_http_headers_more_filter_module.so;) and a
-    `more_set_headers` directive in the config.
+    (load_module .../ngx_http_headers_more_filter_module.so;) and a
+    `more_set_headers` directive in the config.
  2. Upgrade nginx to 1.24.0-2ubuntu7.10 and restart.
  3. curl -k https://127.0.0.1/ -H 'Host: example'
-    -> connection drops with no HTTP response.
+    -> connection drops with no HTTP response.
  
  Actual result (worker segfaults):
-   nginx[...]: segfault at ... ip ... error 7 in
-     ngx_http_headers_more_filter_module.so[...]
-   nginx[...]: worker process ... exited on signal 11 (core dumped)
+   nginx[...]: segfault at ... ip ... error 7 in
+     ngx_http_headers_more_filter_module.so[...]
+   nginx[...]: worker process ... exited on signal 11 (core dumped)
  
  Expected result:
  The module loads and serves normally, as it did on 1.24.0-2ubuntu7.9.
  
  Note (jammy vs noble):
  On Ubuntu 22.04 (jammy), these third-party modules ship inside the nginx
  source package and carry the same version string as core (e.g. USN-8038-1
  shipped headers-more and others at 1.18.0-6ubuntu14.8), so they are rebuilt
  with every nginx USN and are unaffected. On noble these are separate packages
  gated by the `nginx-abi` dependency, which is why a missed ABI bump breaks
  them specifically. This is a noble-specific regression.
  
  Dependency evidence:
-   $ dpkg -s libnginx-mod-http-headers-more-filter | grep Depends
-     Depends: nginx-abi-1.24.0-1, libc6 (>= 2.14)
+   $ dpkg -s libnginx-mod-http-headers-more-filter | grep Depends
+     Depends: nginx-abi-1.24.0-1, libc6 (>= 2.14)
  The dependency stays satisfied across 7.9 -> 7.10 (same nginx-abi-1.24.0-1),
  so dpkg/apt never flag the now-incompatible module.
  
  Workaround:
  Downgrade the nginx core stack to 1.24.0-2ubuntu7.9 (the module stays at
  0.37-2build1, which matches the 7.9 ABI). Service is restored. Note this
  re-exposes CVE-2026-49975 until a proper fix is available.
  
+ apt install --allow-downgrades \
+   nginx=1.24.0-2ubuntu7 \
+   nginx-common=1.24.0-2ubuntu7 \
+   nginx-extras=1.24.0-2ubuntu7 \
+   libnginx-mod-http-geoip=1.24.0-2ubuntu7 \
+   libnginx-mod-http-image-filter=1.24.0-2ubuntu7 \
+   libnginx-mod-http-perl=1.24.0-2ubuntu7 \
+   libnginx-mod-http-xslt-filter=1.24.0-2ubuntu7 \
+   libnginx-mod-mail=1.24.0-2ubuntu7 \
+   libnginx-mod-stream=1.24.0-2ubuntu7 \
+   libnginx-mod-stream-geoip=1.24.0-2ubuntu7
+ 
+ systemctl restart nginx
+ 
+ apt-mark hold \
+   nginx \
+   nginx-common \
+   nginx-extras \
+   libnginx-mod-http-geoip \
+   libnginx-mod-http-image-filter \
+   libnginx-mod-http-perl \
+   libnginx-mod-http-xslt-filter \
+   libnginx-mod-mail \
+   libnginx-mod-stream \
+   libnginx-mod-stream-geoip
+ 
  Suggested fix:
  Bump nginx-abi-1.24.0-1 to reflect the struct/ABI change, and binNMU the
  dependent third-party module source packages (e.g. headers-more) so the
  universe modules are rebuilt against 7.10.
  
  References:
-   USN-8398-1
-   CVE-2026-49975
+   USN-8398-1
+   CVE-2026-49975

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156040

Title:
  nginx 1.24.0-2ubuntu7.10 (noble): ABI change in CVE-2026-49975 fix not
  reflected in nginx-abi, crashing third-party modules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2156040/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2156040] Re: nginx 1.24.0-2ubuntu7.10 (noble): ABI change in CVE-2026-49975 fix not reflected in nginx-abi, crashing third-party modules

Reply via email to