CVE-2026-42934

MEDIUM

NGINX Plus and NGINX Open Source - Out-of-bounds Read in ngx_http_charset_module

Title source: llm

Description

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://my.f5.com/manage/s/article/K000161028

Scores

CVSS v3 4.8

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-125

Status published

Products (5)

F5/NGINX Open Source 0.3.50 - 1.30.1

F5/NGINX Open Source 1.31.0

F5/NGINX Plus R32 - R32 P6

F5/NGINX Plus R36 - R36 P4

F5/NGINX Plus R37

Published May 13, 2026

Tracked Since May 13, 2026