SB2026060403 - Ubuntu update for nginx
Published: June 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2025-53859)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a boundary condition in the ngx_mail_smtp_module. A remote attacker can force the server to leak arbitrary bytes sent in a request to the authentication server.
This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header.
2) Acceptance of extraneous untrusted data with trusted data (CVE-ID: CVE-2026-1642)
CWE-ID: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect handling of trusted and untrusted data when configured to proxy to upstream Transport Layer Security (TLS) servers. A remote unauthenticated attacker with an MITM position on the upstream server side can inject plain text data into the responses from an upstream proxied server and send them to clients.
3) NULL pointer dereference (CVE-ID: CVE-2026-27651)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the ngx_mail_auth_http_module module. A remote attacker can send specially crafted request to the server and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that the CRAM-MD5 or APOP authentication is enabled, and the authentication server permits retry by returning the Auth-Wait response header.
4) Heap-based buffer overflow (CVE-ID: CVE-2026-27654)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in the ngx_http_dav_module module. A remote attacker can send specially crafted request to the server, trigger a heap-based buffer overflow and perform a denial of service attack or modify source or destination file names outside the document root.
5) Integer overflow (CVE-ID: CVE-2026-27784)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the ngx_http_mp4_module module. A remote attacker can supply specially crafted MP4 data to the server, trigger an integer overflow and execute arbitrary code on the target system.
Note, the vulnerability affects only 32-bit NGINX Open Source deployments.
6) Out-of-bounds write (CVE-ID: CVE-2026-32647)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in the ngx_http_mp4_module module. A remote attacker can supply a specially crafted MP4 file to the server, trigger an out-of-bounds write and execute arbitrary code on the target system.
7) CRLF injection (CVE-ID: CVE-2026-28753)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data in the ngx_mail_smtp_module module when handling DNS responses. A remote attacker can inject arbitrary headers into SMTP upstream requests and manipulate data.
8) Use-after-free (CVE-ID: CVE-2026-40701)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or modify data in a limited manner.
The vulnerability exists due to use-after-free in ngx_http_ssl_module when handling requests with client certificate verification and OCSP checking enabled. A remote attacker can send requests that trigger the flaw to cause a denial of service or modify data in a limited manner.
This issue affects the data plane only. Exploitation requires the ssl_verify_client directive to be set to "on" or "optional," and the ssl_ocsp directive to be set to "on" or configured with the leaf parameter and a resolver.
9) Out-of-bounds read (CVE-ID: CVE-2026-42934)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose limited memory contents or cause a denial of service.
The vulnerability exists due to out-of-bounds read in ngx_http_charset_module when processing requests with charset, source_charset, charset_map, and proxy_pass configured with buffering disabled. A remote attacker can send crafted requests to disclose limited memory contents or cause a denial of service.
This issue affects the data plane only and requires the specific configuration to be enabled.
10) Heap-based buffer overflow (CVE-ID: CVE-2026-42945)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in ngx_http_rewrite_module when processing crafted HTTP requests that reach configurations where a rewrite directive is followed by a rewrite, if, or set directive and unnamed PCRE captures are used with a replacement string containing a question mark. A remote attacker can send crafted HTTP requests to cause a denial of service or execute arbitrary code.
Code execution is possible on systems with address space layout randomization disabled. There is no control plane exposure; this is a data plane issue only.
11) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-42946)
CWE-ID: CWE-789 - Uncontrolled Memory Allocation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose memory contents of the NGINX worker process or cause a denial of service.
The vulnerability exists due to memory allocation with excessive size value and use of out-of-range pointer offset in the ngx_http_scgi_module and ngx_http_uwsgi_module modules when processing responses from an upstream server via scgi_pass or uwsgi_pass. A remote attacker can control responses from an upstream server to disclose memory contents of the NGINX worker process or cause a denial of service.
Exploitation requires man-in-the-middle ability to control responses from an upstream server. There is no control plane exposure; this is a data plane issue only.
12) Heap-based buffer overflow (CVE-ID: CVE-2026-9256)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to heap-based buffer overflow in ngx_http_rewrite_module when processing crafted HTTP requests that trigger rewrite directives using overlapping PCRE captures and multiple capture references in a redirect or arguments context. A remote attacker can send crafted HTTP requests to execute arbitrary code or crash the web server.
There is no control plane exposure; this is a data plane issue only. Code execution is possible on systems with ASLR disabled or when ASLR can be bypassed.
Remediation
Install update from vendor's website.