| Package | nginx |
|---|---|
| Version | 1.10.3-1+deb9u10 (stretch), 1.14.2-2+deb10u7 (buster) |
| Related CVEs | CVE-2025-53859 CVE-2026-1642 CVE-2026-9256 CVE-2026-27651 CVE-2026-27654 CVE-2026-27784 CVE-2026-28753 CVE-2026-32647 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946 |
Multiple vulnerabilities were discoverd in Nginx, a high-performance web and reverse proxy server, which could result in bypass of authorisation rules or rate limits, denial of service or memory disclosure.
CVE-2025-53859
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that
might allow an unauthenticated attacker to over-read NGINX SMTP
authentication process memory; as a result, the server side may leak
arbitrary bytes sent in a request to the authentication server. This issue
happens during the NGINX SMTP authentication process and requires the
attacker to make preparations against the target system to extract the
leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method
"none," and (3) the authentication server returns the "Auth-Wait" response
header.
CVE-2026-1642
A vulnerability exists in NGINX OSS when configured to proxy to upstream
Transport Layer Security (TLS) servers. An attacker with a
man-in-the-middle (MITM) position on the upstream server side—along with
conditions beyond the attacker's control—may be able to inject plain text
data into the response from an upstream proxied server.
CVE-2026-9256
NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when a rewrite directive uses a regex
pattern with distinct, overlapping Perl-Compatible Regular Expression
(PCRE) captures (for example, ^/((.*))$) and a replacement string that
references multiple such captures (for example, $1$2) in a redirect or
arguments context. An unauthenticated attacker along with conditions beyond
their control can exploit this vulnerability by sending crafted HTTP
requests. This may cause a heap buffer overflow in the NGINX worker process
leading to a restart. Additionally, attackers can execute code on systems
with Address Space Layout Randomization (ASLR) disabled or when the
attacker can bypass ASLR.
CVE-2026-27651
When the ngx_mail_auth_http_module module is enabled on NGINX Open Source,
undisclosed requests can cause worker processes to terminate. This issue
may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the
authentication server permits retry by returning the Auth-Wait response
header.
CVE-2026-27654
NGINX Open Source has a vulnerability in the ngx_http_dav_module module
that might allow an attacker to trigger a buffer overflow to the NGINX
worker process; this vulnerability may result in termination of the NGINX
worker process or modification of source or destination file names outside
the document root. This issue affects NGINX Open Source when the
configuration file uses DAV module MOVE or COPY methods, prefix location
(nonregular expression location configuration), and alias directives. The
integrity impact is constrained because the NGINX worker process user has
low privileges and does not have access to the entire system.
CVE-2026-27784
The 32-bit implementation of NGINX Open Source has a vulnerability in the
ngx_http_mp4_module module, which might allow an attacker to over-read or
over-write NGINX worker memory resulting in its termination, using a
specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source
if it is built with the ngx_http_mp4_module module and the mp4 directive is
used in the configuration file. Additionally, the attack is possible only
if an attacker can trigger the processing of a specially crafted MP4 file
with the ngx_http_mp4_module module.
CVE-2026-28753
NGINX Open Source has a vulnerability in the ngx_mail_smtp_module module
due to the improper handling of CRLF sequences in DNS responses. This
allows an attacker-controlled DNS server to inject arbitrary headers into
SMTP upstream requests, leading to potential request manipulation.
CVE-2026-32647
NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,
which might allow an attacker to trigger a buffer over-read or over-write
to the NGINX worker memory resulting in its termination or possibly code
execution, using a specially crafted MP4 file. This issue affects NGINX
Open Source if it is built with the ngx_http_mp4_module module and the mp4
directive is used in the configuration file. Additionally, the attack is
possible only if an attacker can trigger the processing of a specially
crafted MP4 file with the ngx_http_mp4_module module.
CVE-2026-40701
NGINX Open Source has a vulnerability in the ngx_http_ssl_module module
when the ssl_verify_client directive is set to "on" or "optional," and the
ssl_ocsp directive is set to "on" or the leaf parameters are configured
with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a
heap-use-after-free error in the NGINX worker process. This vulnerability
may result in limited modification of data or the NGINX worker process
restarting.
CVE-2026-42934
NGINX Open Source has a vulnerability in the ngx_http_charset_module
module. When charset, source_charset, and charset_map and proxy_pass with
disabled buffering ("off") directives are configured, unauthenticated
attackers can send requests that with conditions beyond the attackers'
control to cause a heap buffer over-read in the NGINX worker process,
leading to limited disclosure of memory or a restart.
CVE-2026-42945
NGINX Open Source has a vulnerability in the ngx_http_rewrite_module
module. This vulnerability exists when the rewrite directive is followed by
a rewrite, if, or set directive and an unnamed Perl-Compatible Regular
Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with
conditions beyond its control can exploit this vulnerability by sending
crafted HTTP requests. This may cause a heap buffer overflow in the NGINX
worker process leading to a restart. Additionally, for systems with Address
Space Layout Randomization (ASLR) disabled, code execution is possible.
CVE-2026-42946
A vulnerability exists in the ngx_http_scgi_module and
ngx_http_uwsgi_module modules that may result in excessive memory
allocation or an over-read of data. When scgi_pass or uwsgi_pass is
configured, an unauthenticated attacker with man-in-the-middle (MITM)
ability to control responses from an upstream server may be able to read
the memory of the NGINX worker process or restart it.
For Debian 10 buster, these problems have been fixed in version 1.14.2-2+deb10u7.
For Debian 9 stretch, these problems have been fixed in version 1.10.3-1+deb9u10.
We recommend that you upgrade your nginx packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.