SB2026051860 - SUSE update for nginx

Description

This security bulletin contains information about 4 vulnerabilities.

1) Acceptance of extraneous untrusted data with trusted data (CVE-ID: CVE-2026-1642)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect handling of trusted and untrusted data when configured to proxy to upstream Transport Layer Security (TLS) servers. A remote unauthenticated attacker with an MITM position on the upstream server side can inject plain text data into the responses from an upstream proxied server and send them to clients. 

2) Heap-based buffer overflow (CVE-ID: CVE-2026-27654)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error in the ngx_http_dav_module module. A remote attacker can send specially crafted request to the server, trigger a heap-based buffer overflow and perform a denial of service attack or modify source or destination file names outside the document root. 

3) Integer overflow (CVE-ID: CVE-2026-27784)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the ngx_http_mp4_module module. A remote attacker can supply specially crafted MP4 data to the server, trigger an integer overflow and execute arbitrary code on the target system.

Note, the vulnerability affects only 32-bit NGINX Open Source deployments. 

4) CRLF injection (CVE-ID: CVE-2026-28753)

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data in the ngx_mail_smtp_module module when handling DNS responses. A remote attacker can inject arbitrary headers into SMTP upstream requests and manipulate data.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2026/suse-su-20261953-1/