CVE-2026-42055: NGINX Plus & Open Source Heap Buffer Overflow in HTTP/2 Proxy Modules
CVE-2026-42055 is a critical (CVSS 9.2) heap-based buffer overflow in NGINX Plus and NGINX Open Source HTTP/2 proxy modules that can crash worker processes or enable remote code execution when ASLR is disabled.
TL;DR
- CVE-2026-42055 is a CWE-122 heap-based buffer overflow in NGINX Plus and NGINX Open Source affecting the
ngx_http_proxy_v2_moduleandngx_http_grpc_modulemodules. - CVSS 4.0 base score: 9.2 (Critical) - worker process crash is the baseline impact; remote code execution is possible when ASLR is disabled or bypassed.
- Affected products: F5 NGINX Plus and F5 NGINX Open Source, only when three specific configuration conditions are simultaneously met.
- Not listed in the CISA KEV catalog - no confirmed in-the-wild exploitation at the time of writing.
- Immediate action: apply the patch referenced in the F5 security advisory K000161584 or apply configuration workarounds until patching is possible.
What is CVE-2026-42055?
CVE-2026-42055 is a heap-based buffer overflow (CWE-122) in NGINX's HTTP/2 and gRPC proxy modules. When a remote attacker sends abnormally large headers to an NGINX instance configured with specific options, the worker process can overflow a heap buffer, crash, and under the right conditions allow arbitrary code execution.
The flaw sits in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules - the components responsible for forwarding upstream HTTP/2 and gRPC traffic. Three configuration conditions must all be true at the same time for the attack path to open:
proxy_http_version 2orgrpc_passis active.ignore_invalid_headersis set tooff.large_client_header_bufferssize exceeds 2 megabytes.
Because all three conditions are required together, environments using default NGINX settings are not directly exposed, but organizations that have tuned NGINX for high-throughput gRPC or HTTP/2 workloads may unknowingly satisfy every condition.
Who is affected?
- F5 NGINX Plus - all supported versions where the above configuration conditions are met.
- F5 NGINX Open Source - all supported versions where the above configuration conditions are met.
- NGINX deployments running in reverse-proxy or API gateway roles forwarding gRPC microservices traffic are at the highest operational risk.
- Note: Versions that have reached End of Technical Support (EoTS) are not evaluated by F5 and should be treated as unsupported.
How severe is it?
The CVSS 4.0 score of 9.2 (Critical) is driven by the following vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
- Network attack vector (AV:N): the attacker does not need local or adjacent access.
- High attack complexity (AC:H): the attacker cannot trigger the bug on demand alone - the three configuration preconditions must exist server-side.
- Attack requirements: Present (AT:P): exploitation depends on deployment-side conditions beyond attacker control.
- No privileges required (PR:N) and no user interaction (UI:N): any unauthenticated internet user can attempt the attack.
- High confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H): in the worst case, the attacker can read memory, write arbitrary data, and terminate the worker process.
The practical worst-case scenario is a denial of service - repeated worker crashes that degrade or stop NGINX from serving traffic. Remote code execution escalates the risk significantly but requires ASLR to be disabled on the host or the attacker to chain a separate ASLR-bypass exploit. Modern Linux distributions ship with ASLR enabled by default, which meaningfully constrains RCE scenarios in most production environments.
Is it being exploited?
CVE-2026-42055 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no confirmed public in-the-wild exploitation has been reported as of the publication date of this analysis. The high attack complexity and three-condition dependency make opportunistic mass exploitation less likely than for simpler, single-condition bugs.
That said, targeted exploitation against misconfigured high-value gRPC API gateways remains a realistic threat, particularly if proof-of-concept code surfaces publicly. Organizations should treat this as a priority patch regardless of confirmed exploitation status.
How to fix and mitigate it
-
Apply the vendor patch - follow the remediation steps in the F5 security advisory K000161584. F5 does not publish specific fixed version numbers in this advisory, so consult the article directly for version-specific guidance.
-
Set
ignore_invalid_headerstoon(this is the NGINX default). Adding or confirming this directive breaks the attack precondition chain:
http {
ignore_invalid_headers on;
}
- Reduce
large_client_header_buffersto 2 MB or less if HTTP/2 proxying must remain active:
http {
large_client_header_buffers 4 2m;
}
- Verify ASLR is enabled on all systems running NGINX to reduce the risk of RCE if the overflow is triggered:
cat /proc/sys/kernel/randomize_va_space
# Expected output: 2
-
Audit all NGINX configurations across environments for any simultaneous use of
proxy_http_version 2orgrpc_passtogether withignore_invalid_headers offand oversized header buffer settings. -
Place a WAF or rate limiter upstream of NGINX to reject or throttle requests carrying abnormally large headers as an additional defense-in-depth control.
How to detect exposure
- Configuration audit: search all
nginx.confand included files for the three co-occurring directives.
grep -rn 'ignore_invalid_headers\|large_client_header_buffers\|proxy_http_version 2\|grpc_pass' /etc/nginx/
- Worker restart monitoring: unexpected NGINX worker crashes logged in
/var/log/nginx/error.logwith signals likeSIGSEGVorSIGBUSmay indicate exploitation attempts. - Network monitoring: large header payloads targeting gRPC or HTTP/2 endpoints from a single source IP can signal reconnaissance or active exploitation attempts.
- Vulnerability scanners: once signature updates are published, run your scanner against NGINX versions in inventory to confirm patch status.
Frequently asked questions
Does CVE-2026-42055 affect every NGINX installation?
No. Only deployments that use proxy_http_version 2 or grpc_pass, set ignore_invalid_headers to off, and configure large_client_header_buffers with a size above 2 MB are vulnerable. A default NGINX installation does not meet all three conditions, so the attack surface is narrower than the critical score implies.
Can an attacker reliably execute code through this vulnerability?
Full remote code execution requires either ASLR to be disabled on the host, or the attacker to have a separate ASLR-bypass primitive. Without those conditions, the most likely outcome is a worker process restart, causing a denial of service. ASLR is enabled by default on modern Linux systems, which limits real-world RCE feasibility.
Is CVE-2026-42055 being actively exploited in the wild?
As of the time of writing, CVE-2026-42055 is not listed in the CISA Known Exploited Vulnerabilities catalog, and no confirmed public in-the-wild exploitation has been reported. That status can change quickly, so monitor vendor and CISA advisories for updates.
What is the fastest workaround if patching is not immediately possible?
Set ignore_invalid_headers to on (the default) and reduce large_client_header_buffers size to 2 MB or less. Either change alone breaks the precondition chain required to trigger the overflow. Apply the vendor patch as soon as it is available for a permanent fix.
