Medium severity6.5NVD Advisory· Published May 13, 2026· Updated Jun 16, 2026
CVE-2026-42946
CVE-2026-42946
Description
A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
11- osv-coords11 versionspkg:bitnami/nginxpkg:bitnami/nginx-gatewaypkg:rpm/opensuse/nginx&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
>= 0.8.42, < 1.30.1+ 10 more
- (no CPE)range: >= 0.8.42, < 1.30.1
- (no CPE)range: >= 0.8.42, < 1.30.1
- (no CPE)range: < 1.31.0-1.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
Patches
Vulnerability mechanics
References
1- my.f5.com/manage/s/article/K000161027nvdMitigationVendor Advisory
News mentions
2- 18-year-old NGINX vulnerability allows DoS, potential RCEBleepingComputer · May 14, 2026
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCEThe Hacker News · May 14, 2026