HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-42055Published Modified CNA f5

CVE-2026-42055: NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
1.30.3
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Heap-based buffer overflow in NGINX Open Source and NGINX Plus affects the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. The vulnerability is reachable over the network without authentication, but exploitation requires a specific combination of configuration conditions (proxy_http_version 2 or grpc_pass in use, ignore_invalid_headers set to off, and large_client_header_buffers sized above 2 MB) along with circumstances partially outside the attacker's control. Successful exploitation crashes the NGINX worker process, and on systems where ASLR is disabled or bypassable, attackers can achieve remote code execution. Patched-image rebuilds at versions 1.30.3, 1.31.2, 37.0.2.1, and R36 P6 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-42055 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication from upstream feeds. Coverage extends to custom-built NGINX images, not just upstream base images.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.2 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard pipeline.

Available
Patch

A patched-image rebuild at the fix versions (NGINX Open Source 1.30.3 or 1.31.2, NGINX Plus 37.0.2.1 or R36 P6) becomes available on HarborGuard once the upstream package is published. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the NGINX service over the network to send the crafted large headers that trigger the overflow.

  • AuthenticationNot required

    No credentials or account are needed; the attack is available to any unauthenticated remote sender.

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the NGINX service without involving any human victim.

  • Attack complexityDetail

    Exploitation is high complexity, requiring a specific NGINX configuration (proxy_http_version 2 or grpc_pass, ignore_invalid_headers off, large_client_header_buffers above 2 MB) plus environmental conditions partially outside the attacker's control, such as ASLR being disabled or bypassable for code execution to succeed.

Blast Radius

  • Crashes the NGINX worker process, causing it to restart and dropping in-flight HTTP/2 and gRPC requests served through the affected upstream proxy configuration.
  • On systems with ASLR disabled, the attacker gains arbitrary code execution inside the NGINX worker process.
  • On systems where the attacker can bypass ASLR, the attacker similarly achieves code execution within the worker process context, with access to memory and file descriptors held by that process.
  • Confidentiality and integrity of data handled by the worker process are fully compromised on systems where code execution is achieved.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42055 is active across customer environments, matching against any image that includes an affected version of NGINX Open Source (1.13.10 through below 1.30.3 or 1.31.2) or NGINX Plus (R36 through below R36 P6, or 37.0 through below 37.0.2.1). Where compliance policy permits, HarborGuard can trigger an automated patched-image rebuild at the appropriate fix version, run regression tests against the rebuilt image, and open a pull request against affected workloads; for high-severity and critical issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who have not enabled auto-remediation will see the CVE flagged in their dashboard with fix-version guidance. Given the configuration-dependent nature of this vulnerability, reviewing whether proxy_http_version 2 or grpc_pass directives are active alongside the relevant header-buffer settings is a useful first triage step. HarborGuard re-checks advisory status each ingest cycle, so any updates from F5 regarding affected version ranges or additional fix releases will propagate automatically.

See how HarborGuard automates this

Fix available

1.30.31.31.237.0.2.1R36 P6
Affected packages
  • F5 / NGINX Open Source
    < 1.31.2 (from 1.13.10) · < 1.30.3 (from 1.30.2)
  • F5 / NGINX Plus
    < 37.0.2.1 (from 37.0) · < R36 P6 (from R36)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References