SB2026052722 - Anolis OS update for nginx

Description

This security bulletin contains information about 2 vulnerabilities.

1) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-40460)

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization or cause a denial of service.

The vulnerability exists due to authentication bypass by spoofing in the ngx_quic_module module when handling HTTP/3 QUIC traffic. A remote attacker can spoof their source IP address to bypass authorization or cause a denial of service.

There is no control plane exposure; this is a data plane issue only.

2) Heap-based buffer overflow (CVE-ID: CVE-2026-9256)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to heap-based buffer overflow in ngx_http_rewrite_module when processing crafted HTTP requests that trigger rewrite directives using overlapping PCRE captures and multiple capture references in a redirect or arguments context. A remote attacker can send crafted HTTP requests to execute arbitrary code or crash the web server.

There is no control plane exposure; this is a data plane issue only. Code execution is possible on systems with ASLR disabled or when ASLR can be bypassed.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2026:0759