NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability
Summary
| CVE | CVE-2026-42055 |
|---|---|
| State | PUBLISHED |
| Assigner | f5 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-17 15:16:50 UTC |
| Updated | 2026-07-02 20:03:31 UTC |
| Description | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
Risk And Classification
Primary CVSS: v4.0 9.2 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.028380000 probability, percentile 0.849470000 (date 2026-07-05)
Problem Types: CWE-122 | CWE-787 | CWE-131 | CWE-122 CWE-122 Heap-based Buffer Overflow | CWE-131 Incorrect Calculation of Buffer Size
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.2 | CRITICAL | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 9.2 | CRITICAL | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | F5 | Dos | 4.9.0 | All | All | All |
| Application | F5 | Nginx App Protect Dos | All | All | All | All |
| Application | F5 | Nginx App Protect Waf | All | All | All | All |
| Application | F5 | Nginx App Protect Waf | All | All | All | All |
| Application | F5 | Nginx Gateway Fabric | All | All | All | All |
| Application | F5 | Nginx Gateway Fabric | All | All | All | All |
| Application | F5 | Nginx Ingress Controller | All | All | All | All |
| Application | F5 | Nginx Ingress Controller | 4.0.0 | All | All | All |
| Application | F5 | Nginx Ingress Controller | 4.0.1 | All | All | All |
| Application | F5 | Nginx Ingress Controller | All | All | All | All |
| Application | F5 | Nginx Instance Manager | All | All | All | All |
| Application | F5 | Nginx Open Source | All | All | All | All |
| Application | F5 | Nginx Open Source | 1.31.1 | All | All | All |
| Application | F5 | Nginx Plus | r3 | All | All | All |
| Application | F5 | Nginx Plus | r30 | - | All | All |
| Application | F5 | Nginx Plus | r30 | p1 | All | All |
| Application | F5 | Nginx Plus | r30 | p2 | All | All |
| Application | F5 | Nginx Plus | r31 | - | All | All |
| Application | F5 | Nginx Plus | r31 | p1 | All | All |
| Application | F5 | Nginx Plus | r31 | p2 | All | All |
| Application | F5 | Nginx Plus | r31 | p3 | All | All |
| Application | F5 | Nginx Plus | r32 | - | All | All |
| Application | F5 | Nginx Plus | r32 | p1 | All | All |
| Application | F5 | Nginx Plus | r32 | p2 | All | All |
| Application | F5 | Nginx Plus | r32 | p3 | All | All |
| Application | F5 | Nginx Plus | r32 | p4 | All | All |
| Application | F5 | Nginx Plus | r33 | - | All | All |
| Application | F5 | Nginx Plus | r33 | p1 | All | All |
| Application | F5 | Nginx Plus | r33 | p2 | All | All |
| Application | F5 | Nginx Plus | r33 | p3 | All | All |
| Application | F5 | Nginx Plus | r34 | - | All | All |
| Application | F5 | Nginx Plus | r34 | p1 | All | All |
| Application | F5 | Nginx Plus | r34 | p2 | All | All |
| Application | F5 | Nginx Plus | r35 | - | All | All |
| Application | F5 | Nginx Plus | r35 | p1 | All | All |
| Application | F5 | Nginx Plus | r36 | - | All | All |
| Application | F5 | Nginx Plus | r36 | p1 | All | All |
| Application | F5 | Nginx Plus | r36 | p2 | All | All |
| Application | F5 | Nginx Plus | r36 | p3 | All | All |
| Application | F5 | Nginx Plus | r36 | p4 | All | All |
| Application | F5 | Nginx Plus | r36 | p5 | All | All |
| Application | F5 | Nginx Plus | All | All | All | All |
| Application | F5 | Waf | 4.8.1 | All | All | All |
| Application | F5 | Waf | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | F5 | NGINX Open Source | affected 1.13.10 1.31.2 custom | Not specified |
| CNA | F5 | NGINX Open Source | affected 1.30.2 1.30.3 custom | Not specified |
| CNA | F5 | NGINX Plus | affected 37.0 37.0.2.1 custom | Not specified |
| CNA | F5 | NGINX Plus | affected R36 R36 P6 custom | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:27197 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| my.f5.com/manage/s/article/K000161584 | [email protected] | my.f5.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | Third Party Advisory |
| access.redhat.com/security/cve/CVE-2026-42055 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | Third Party Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: "F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and 章鱼哥 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure." (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-17T16:01:41.848Z | Reported to Red Hat. |
| ADP | 2026-06-17T14:04:32.520Z | Made public. |
Solutions
ADP: RHSA-2026:27197: Red Hat Hardened Images
Workarounds
ADP: To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service.