Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Multiple vulnerabilities in nginx leading to Remote Code Execution and allowing rate-limit bypassing, Patch Immediately!
Image
Veröffentlicht : 18/05/2026
- Last update: 18/05/2026
- Affected software:
This is different for the different vulnerabilities; these versions are vulnerable in at least one way described in this advisory. See the F5 advisories for details on any vulnerability. Not all products have a fix or patch for all vulnerabilities.
→ NGINX Plus < 37.0.0 and R32 – R36
→ NGINX Open Source <1.30.1
→ NGINX Instance Manager 2.16.0 - 2.22.0
→ F5 WAF for NGINX < 5.13.0
→ NGINX App Protect WAF 4.9.0 - 4.16.0 and 5.1.0 - 5.8.0
→ F5 DoS for NGINX 4.8.0
→ NGINX App Protect DoS 4.3.0 - 4.7.0
→ NGINX Gateway Fabric 1.3.0 - 1.6.2 and 2.0.0 - 2.6.0
→ NGINX Ingress Controller 3.5.0 - 3.7.2 and 4.0.0 - 4.0.1 and 5.0.0 - 5.4.2- Type:
→ CWE-122: Heap-based Buffer Overflow
→ CWE-789: Memory Allocation with Excessive Size Value
→ CWE-823: Use of Out-of-range Pointer Offset
→ CWE-416: Use After Free
→ CWE-125: Out-of-bounds Read
→ CWE-172: Encoding Error
→ CWE-290: Authentication Bypass by Spoofing- CVE/CVSS
→ CVE-2026-42945: CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-42946: CVSS 6.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)
→ CVE-2026-40460: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
→ CVE-2026-42926: CVSS 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
→ CVE-2026-40701: CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
→ CVE-2026-42934: CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
Sources
Depth First Article - https://depthfirst.com/nginx-rift
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161019
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161027
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161131
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161068
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161021
F5 Security Advisory - https://my.f5.com/manage/s/article/K000161028
Risks
An unauthenticated attacker can remotely execute code and crash or take over the system. An attacker can also, when nginx is configured to use HTTP/3 QUIC, bypass rate-limiting. Nginx is very popular and commonly publicly reachable software, encouraging attackers to rapidly try to exploit these vulnerabilities.
There is a high impact on confidentiality, integrity, and availability; especially when combining or chaining multiple vulnerabilities.
Description
CVE-2026-42945 is a vulnerability in ngx_http_rewrite_module. The vulnerability is present when a ‘rewrite’ directive with an unnamed regex capture (e.g. $1) and a replacement string containing a question mark is followed by another ‘rewrite’, ‘if’ or ‘set’ directive. This is common pattern. An unauthenticated attacker can exploit this by sending a crafted HTTP request, causing a buffer overflow. nginx will incorrectly compute the size of the memory required and write data derived from the attacker provided URI to the heap memory, likely crashing the service and possibly, when executed correctly, leading to remote code execution by the attacker. If patching is not possible yet, a workaround is to rewrite the directives, as exampled in the Depth First article.
CVE-2026-42946 is a vulnerability in ngx_http_scgi_module and ngx_http_uwsgi_module. An unauthenticated attacker that manages to man-in-the-middle the responses from an upstream server can read the memory of a nginx worker process or restart it.
CVE-2026-40460 is a vulnerability that is exploitable when nginx is configured to use the HTTP/3 QUIC module. An attacker can spoof their source IP, bypassing rate limiting and IP based authorization.
CVE-2026-42926 is a vulnerability that is exploitable when nginx is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2 and uses proxy_set_body. In those circumstances, an unauthenticated remote attacker can inject arbitrary HTTP/2 frame headers and payload bytes into the upstream peer.
CVE-2026-40701 is a vulnerability in the ngx_http_ssl_module module that is exploitable when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. This allows an unauthenticated attacker to send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This can cause the NGINX worker to restart or lead to limited data modification.
CVE-2026-42934 is a vulnerability in ngx_http_charset_module that is exploitable when charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured. In those circumstances, unauthenticated attackers may cause a restart of the nginx worker or disclose memory contents.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-42945
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-42946
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-42926
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-40460
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-40701
NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-42934