Issue Three more CVEs for nginx just hit - one rated as critical with DoS and RCE possible

rhall

New Pleskian
Server operating system version
centos 6.10
Plesk version and microupdate number
18.0.31
Just a quick note that three more CVEs for nginx have been posted as of yesterday the 15th, with one rated as a major severity with a CVSS v4.0 score of 9.2 (Critical) and a CVSS v3.1 base score of 8.1 (High)

Reference:

and noted on their home page:

Specifically:
nginx-1.30.4 stable and nginx-1.31.3 mainline versions have been released, with fixes for:
  • Buffer overflow vulnerability when using map with regex (CVE-2026-42533)
  • Memory disclosure vulnerability when using ngx_http_slice_module (CVE-2026-60005)
  • and a use-after-free vulnerability when using ngx_http_ssi_module (CVE-2026-56434)
Here is a summary/vulnerability breakdown, and the versions impacted (which includes the very latest prior versions released and patched in May and June that are actively being exploited to take over servers):
  • CVE-2026-42533 (Major Severity)
    • Vulnerable Range: 0.9.6 – 1.31.2
    • The Flaw: A heap buffer overflow occurs when using a map directive with regex matching. If a string expression references regex capture variables before referencing the map's output variable, an attacker can crash the NGINX worker process or potentially execute remote code if ASLR is bypassed.
  • CVE-2026-60005 (Medium Severity)
    • Vulnerable Range: 1.15.8 – 1.31.2
    • The Flaw: An uninitialized memory access bug in the ngx_http_slice_module. If you compile NGINX with this non-default module (--with-http_slice_module) and combine the slice directive with unnamed regex captures, a crafted request can force worker restarts or cause limited information disclosure.
  • CVE-2026-56434 (Medium Severity)
    • Vulnerable Range: 0.8.11 – 1.31.2
    • The Flaw: A use-after-free vulnerability in the ngx_http_ssi_module. It triggers if you have Server-Side Includes (SSI) active alongside proxy_pass and proxy_buffering off. A Man-in-the-Middle (MITM) attacker controlling upstream responses can crash workers or modify memory.
You can quickly check your configs to see if you are vulnerable to these three using:
Bash:
#Check if you are using the map directive for CVE-2026-41533
nginx -T 2>/dev/null | grep -i "map "

#Check for presence of the with-http_slice_module
nginx -V 2>&1 | grep --color "with-http_slice_module"
nginx -T 2>/dev/null | grep -i "slice;"

#Check for the ngx_http_ssi_module
nginx -T 2>/dev/null | grep -E "ssi on|proxy_buffering off"

Just finished patching mine directly on an older system by compiling from source (like the last round of CVE's for nginx) and wanted to raise the alarm.

Happy Patching!
 
Back
Top