← All CVEs

CVE-2026-42055

CRITICAL 9.2

Published 2026-06-17 · Last modified 2026-06-30

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

ELEVATED IMPACT

Severe if exploited (CVSS 9.2), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

2.9%chance of exploitation in 30 days · 85th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.2CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: Needs a race window or specific setup
  • Requirements: Specific conditions must be present

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors F5 Red Hat

Products Nginx Open Source Nginx Plus Red Hat Hardened Images Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9

Weakness (CWE)

  • CWE-122
  • CWE-131

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS