CVE-2026-42946

Medienbericht

EPSS 0.04%
Veröffentlicht 13.05.2026 14:12:44
Zuletzt bearbeitet 13.05.2026 16:27:11
Quelle f5sirt@f5.com
CVE-Watchlists
Login
Unerledigt
Login

NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

CNA 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerF5

≫

Produkt NGINX Plus

Default Statusunknown

Version R37

Version < *

Status unaffected

Version R36

Version < R36 P4

Status affected

Version R32

Version < R32 P6

Status affected

HerstellerF5

≫

Produkt NGINX Open Source

Default Statusunaffected

Version 1.31.0

Version < *

Status unaffected

Version 0.8.42

Version < 1.30.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.125

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
f5sirt@f5.com	6.5	2.2	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
f5sirt@f5.com	8.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-789 Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

CWE-823 Use of Out-of-range Pointer Offset

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

https://www.bleepingcomputer.com/news/security/18-year-old-nginx-vulnerability-allows-dos-potential-rce/

Media Report

https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

Media Report

https://my.f5.com/manage/s/article/K000161027

https://nvd.nist.gov/vuln/detail/CVE-2026-42946

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42946

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42946

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42946