[{"data":1,"prerenderedAt":700},["ShallowReactive",2],{"switcher-blog-pareja":3,"art-nginx-cve-batch-may-2026-en":6},{"en":4,"es":5},"\u002Fen\u002Fblog\u002Fnginx-cve-batch-may-2026\u002F","\u002Fes\u002Fblog\u002Fnginx-tanda-cves-mayo-2026\u002F",{"id":7,"title":8,"author":9,"body":10,"date":686,"description":687,"extension":688,"image":689,"meta":690,"navigation":470,"pareja":691,"path":692,"seo":693,"stem":694,"tags":695,"__hash__":699},"blogEn\u002Fen\u002Fblog\u002Fnginx-cve-batch-may-2026.md","Nginx ships two security releases in nine days: seven CVEs and why you should patch now","Paco Cubel",{"type":11,"value":12,"toc":667},"minimark",[13,18,27,35,39,57,60,64,75,218,226,235,239,258,262,300,304,341,345,348,352,374,397,401,509,523,537,541,544,568,574,578,590,594,597,627,630,634,663],[14,15,17],"h2",{"id":16},"two-advisories-in-the-same-fortnight","Two advisories in the same fortnight",[19,20,21,22,26],"p",{},"When a project as mature as Nginx puts out ",[23,24,25],"strong",{},"two security releases in nine days",", it's worth looking up from whatever you're doing. That's exactly what happened in mid-May: first the big batch on the 13th (six CVEs at once) and, as a bonus, another patch on the 22nd with a seventh.",[19,28,29,30,34],{},"None of them is the end of the world on its own, but together they touch parts almost everyone runs: the ",[31,32,33],"code",{},"rewrite"," module, the HTTP\u002F2 proxy, HTTP\u002F3 and the resolver. If you manage web servers — your own or your clients' — this one's for you.",[14,36,38],{"id":37},"in-one-sentence","In one sentence",[19,40,41,42,45,46,52,53,56],{},"There are ",[23,43,44],{},"seven vulnerabilities"," spread across two releases. The scariest is a ",[23,47,48,49,51],{},"buffer overflow in the ",[31,50,33],{}," module"," (the one half the internet uses to rewrite URLs), and the most talked-about is an ",[23,54,55],{},"HTTP\u002F2 request injection"," when Nginx acts as a proxy. The rest are out-of-bounds reads, an address spoofing flaw in HTTP\u002F3 and a use-after-free in OCSP requests.",[19,58,59],{},"The good news: it's fixed by updating the package and reloading. No machine reboot.",[14,61,63],{"id":62},"all-seven-ordered-by-what-you-should-look-at-first","All seven, ordered by what you should look at first",[19,65,66,67,74],{},"These are the figures exactly as published in ",[68,69,73],"a",{"href":70,"rel":71},"https:\u002F\u002Fnginx.org\u002Fen\u002Fsecurity_advisories.html",[72],"nofollow","Nginx's own security advisory",":",[76,77,78,97],"table",{},[79,80,81],"thead",{},[82,83,84,88,91,94],"tr",{},[85,86,87],"th",{},"CVE",[85,89,90],{},"Component",[85,92,93],{},"Type",[85,95,96],{},"Fixed in",[98,99,100,119,135,151,172,188,203],"tbody",{},[82,101,102,108,113,116],{},[103,104,105],"td",{},[23,106,107],{},"CVE-2026-42945",[103,109,110],{},[31,111,112],{},"ngx_http_rewrite_module",[103,114,115],{},"Buffer overflow",[103,117,118],{},"1.30.1 \u002F 1.31.0 (13 May)",[82,120,121,126,130,132],{},[103,122,123],{},[23,124,125],{},"CVE-2026-9256",[103,127,128],{},[31,129,112],{},[103,131,115],{},[103,133,134],{},"1.30.2 \u002F 1.31.1 (22 May)",[82,136,137,142,147,149],{},[103,138,139],{},[23,140,141],{},"CVE-2026-42926",[103,143,144],{},[31,145,146],{},"ngx_http_proxy_module",[103,148,55],{},[103,150,118],{},[82,152,153,158,167,170],{},[103,154,155],{},[23,156,157],{},"CVE-2026-42946",[103,159,160,163,164],{},[31,161,162],{},"ngx_http_scgi_module"," \u002F ",[31,165,166],{},"ngx_http_uwsgi_module",[103,168,169],{},"Out-of-bounds read",[103,171,118],{},[82,173,174,179,184,186],{},[103,175,176],{},[23,177,178],{},"CVE-2026-42934",[103,180,181],{},[31,182,183],{},"ngx_http_charset_module",[103,185,169],{},[103,187,118],{},[82,189,190,195,198,201],{},[103,191,192],{},[23,193,194],{},"CVE-2026-40460",[103,196,197],{},"HTTP\u002F3 (QUIC)",[103,199,200],{},"Address spoofing",[103,202,118],{},[82,204,205,210,213,216],{},[103,206,207],{},[23,208,209],{},"CVE-2026-40701",[103,211,212],{},"OCSP in the resolver",[103,214,215],{},"Use-after-free",[103,217,118],{},[219,220,222,223,225],"h3",{"id":221},"the-two-in-the-rewrite-module-cve-2026-42945-and-cve-2026-9256","The two in the ",[31,224,33],{}," module (CVE-2026-42945 and CVE-2026-9256)",[19,227,228,229,234],{},"These are the ones you care about most, for a simple reason: ",[23,230,231,232],{},"almost nobody serves without ",[31,233,33],{},". Redirects, clean URLs, forcing HTTPS, proxy rewrites... all of that goes through that module. A buffer overflow there is, worst case, the doorstep to code execution. The fact that they had to touch it again nine days later (CVE-2026-9256) tells you the area was hot.",[219,236,238],{"id":237},"the-http2-injection-cve-2026-42926","The HTTP\u002F2 injection (CVE-2026-42926)",[19,240,241,242,245,246,249,250,253,254,257],{},"The flashiest one, though with ",[23,243,244],{},"conditions",": it only bites if you configure Nginx to proxy upstream over HTTP\u002F2 (",[31,247,248],{},"proxy_http_version 2",") ",[23,251,252],{},"and"," you use ",[31,255,256],{},"proxy_set_body",". In that scenario an attacker can slip in bytes the upstream reads as extra HTTP\u002F2 headers or frames, tampering with the request that lands behind it. Its CVSS is 5.8 (medium), but \"request smuggling\" patterns always cause more trouble than their score suggests. If you don't run that combination, you're not affected; if you do, it's a priority.",[219,259,261],{"id":260},"the-other-four","The other four",[263,264,265,286,295],"ul",{},[266,267,268,270,271,273,274,277,278,281,282,285],"li",{},[23,269,157],{}," and ",[23,272,178],{},": out-of-bounds reads in ",[31,275,276],{},"scgi","\u002F",[31,279,280],{},"uwsgi"," and in ",[31,283,284],{},"charset",". Memory disclosure or a crashed worker. Most relevant if you gateway to Python\u002FPHP apps over SCGI\u002FuWSGI.",[266,287,288,290,291,294],{},[23,289,194],{},": address spoofing in HTTP\u002F3. Only touches you if you have ",[23,292,293],{},"QUIC\u002FHTTP\u002F3 enabled"," (increasingly common; if you followed our HTTP\u002F3 piece, give it a look).",[266,296,297,299],{},[23,298,209],{},": use-after-free in the resolver's OCSP requests. Shows up with OCSP stapling and dynamic resolution.",[14,301,303],{"id":302},"whos-affected","Who's affected",[263,305,306,328],{},[266,307,308,311,312,315,316,319,320,323,324,327],{},[23,309,310],{},"Affected branches",": mainline ",[31,313,314],{},"1.29.x"," up to ",[31,317,318],{},"1.30.0",", and stable versions earlier than ",[31,321,322],{},"1.30.1",". If your ",[31,325,326],{},"nginx -v"," is older than those numbers, you're in the bag.",[266,329,330,333,334,337,338,340],{},[23,331,332],{},"Highest risk",": any internet-facing Nginx, and especially those acting as a ",[23,335,336],{},"reverse proxy"," (which is basically the default use case today). Almost everyone has the ",[31,339,33],{}," module active.",[14,342,344],{"id":343},"what-to-do-today","What to do today",[19,346,347],{},"No fluff. Check your version and update to the right branch.",[219,349,351],{"id":350},"_1-check-which-version-you-have","1. Check which version you have",[353,354,359],"pre",{"className":355,"code":356,"language":357,"meta":358,"style":358},"language-bash shiki shiki-themes github-light github-dark","nginx -v\n","bash","",[31,360,361],{"__ignoreMap":358},[362,363,366,370],"span",{"class":364,"line":365},"line",1,[362,367,369],{"class":368},"sScJk","nginx",[362,371,373],{"class":372},"sj4cs"," -v\n",[263,375,376,387],{},[266,377,378,379,382,383,386],{},"On the ",[23,380,381],{},"stable"," branch, the target is ",[23,384,385],{},"1.30.2 or newer",".",[266,388,389,390,393,394,386],{},"On ",[23,391,392],{},"mainline",", the target is ",[23,395,396],{},"1.31.1 or newer",[219,398,400],{"id":399},"_2-update-and-reload-no-downtime","2. Update and reload (no downtime)",[353,402,404],{"className":355,"code":403,"language":357,"meta":358,"style":358},"# Debian \u002F Ubuntu\nsudo apt update && sudo apt install --only-upgrade nginx\nsudo nginx -t && sudo systemctl reload nginx\n\n# RHEL \u002F AlmaLinux \u002F Rocky\nsudo dnf update nginx\nsudo nginx -t && sudo systemctl reload nginx\n",[31,405,406,412,442,465,472,478,490],{"__ignoreMap":358},[362,407,408],{"class":364,"line":365},[362,409,411],{"class":410},"sJ8bj","# Debian \u002F Ubuntu\n",[362,413,415,418,422,425,429,431,433,436,439],{"class":364,"line":414},2,[362,416,417],{"class":368},"sudo",[362,419,421],{"class":420},"sZZnC"," apt",[362,423,424],{"class":420}," update",[362,426,428],{"class":427},"sVt8B"," && ",[362,430,417],{"class":368},[362,432,421],{"class":420},[362,434,435],{"class":420}," install",[362,437,438],{"class":372}," --only-upgrade",[362,440,441],{"class":420}," nginx\n",[362,443,445,447,450,453,455,457,460,463],{"class":364,"line":444},3,[362,446,417],{"class":368},[362,448,449],{"class":420}," nginx",[362,451,452],{"class":372}," -t",[362,454,428],{"class":427},[362,456,417],{"class":368},[362,458,459],{"class":420}," systemctl",[362,461,462],{"class":420}," reload",[362,464,441],{"class":420},[362,466,468],{"class":364,"line":467},4,[362,469,471],{"emptyLinePlaceholder":470},true,"\n",[362,473,475],{"class":364,"line":474},5,[362,476,477],{"class":410},"# RHEL \u002F AlmaLinux \u002F Rocky\n",[362,479,481,483,486,488],{"class":364,"line":480},6,[362,482,417],{"class":368},[362,484,485],{"class":420}," dnf",[362,487,424],{"class":420},[362,489,441],{"class":420},[362,491,493,495,497,499,501,503,505,507],{"class":364,"line":492},7,[362,494,417],{"class":368},[362,496,449],{"class":420},[362,498,452],{"class":372},[362,500,428],{"class":427},[362,502,417],{"class":368},[362,504,459],{"class":420},[362,506,462],{"class":420},[362,508,441],{"class":420},[19,510,511,512,515,516,519,520,522],{},"That ",[31,513,514],{},"nginx -t"," before the ",[31,517,518],{},"reload"," isn't optional: it validates the config and stops a reload from taking the service down over a silly typo. The ",[31,521,518],{}," swaps in the new binary without dropping in-flight connections.",[524,525,526],"blockquote",{},[19,527,528,529,532,533,536],{},"If you installed Nginx from the official nginx.org repository instead of your distro's, update from there (",[31,530,531],{},"nginx.org\u002Fpackages","). Distributions sometimes backport the fix while keeping the version number: ",[23,534,535],{},"don't trust the number alone, check the package date"," or your distro's security changelog.",[219,538,540],{"id":539},"_3-if-you-cant-update-right-now","3. If you can't update right now",[19,542,543],{},"Temporary mitigations depending on what you have exposed:",[263,545,546,558],{},[266,547,548,551,552,554,555,557],{},[23,549,550],{},"HTTP\u002F2 as a proxy"," (CVE-2026-42926): if you don't need ",[31,553,248],{}," with ",[31,556,256],{},", drop the proxy to HTTP\u002F1.1 while you patch.",[266,559,560,563,564,567],{},[23,561,562],{},"HTTP\u002F3"," (CVE-2026-40460): if you have QUIC enabled experimentally, you can turn it off temporarily (",[31,565,566],{},"listen 443 quic;",") until you update.",[19,569,570,571],{},"These are stopgaps to shrink the attack surface. ",[23,572,573],{},"They don't replace the patch.",[14,575,577],{"id":576},"what-we-did","What we did",[19,579,580,581,583,584,586,587,589],{},"As soon as the 13th's batch dropped we rolled it out across the internet-facing Nginx boxes we manage, prioritising the ones doing reverse proxy with complex ",[31,582,33],{}," rules. When the second patch landed on the 22nd with CVE-2026-9256 — the ",[31,585,33],{}," module again — we ran another pass instead of assuming the first one had us covered. That's the difference between \"I updated it the other day\" and \"it's on the right version\": the second one you confirm with ",[31,588,326],{},", not from memory.",[14,591,593],{"id":592},"the-same-old-routine","The same old routine",[19,595,596],{},"With Nginx, just like with the kernel, the five moves are the same:",[263,598,599,604,612,617,622],{},[266,600,601,603],{},[31,602,326],{}," to know where you stand.",[266,605,606,277,609,386],{},[31,607,608],{},"apt",[31,610,611],{},"dnf update",[266,613,614,616],{},[31,615,514],{}," to validate.",[266,618,619,386],{},[31,620,621],{},"systemctl reload nginx",[266,623,624,626],{},[31,625,326],{}," again to confirm.",[19,628,629],{},"Keeping your update plan current isn't a luxury: it's what turns a batch of seven CVEs into an ordinary Tuesday rather than an incident. If your web server hasn't seen a patch in months, let's talk.",[14,631,633],{"id":632},"references","References",[263,635,636,642,649,656],{},[266,637,638],{},[68,639,641],{"href":70,"rel":640},[72],"nginx security advisories — nginx.org",[266,643,644],{},[68,645,648],{"href":646,"rel":647},"https:\u002F\u002Fnginx.org\u002F2026.html",[72],"nginx news 2026 — nginx.org",[266,650,651],{},[68,652,655],{"href":653,"rel":654},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-42926",[72],"CVE-2026-42926 Detail — NVD",[266,657,658],{},[68,659,662],{"href":660,"rel":661},"https:\u002F\u002Fwww.openwall.com\u002Flists\u002Foss-security\u002F2026\u002F05\u002F13\u002F7",[72],"NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 — oss-security",[664,665,666],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}",{"title":358,"searchDepth":414,"depth":414,"links":668},[669,670,671,677,678,683,684,685],{"id":16,"depth":414,"text":17},{"id":37,"depth":414,"text":38},{"id":62,"depth":414,"text":63,"children":672},[673,675,676],{"id":221,"depth":444,"text":674},"The two in the rewrite module (CVE-2026-42945 and CVE-2026-9256)",{"id":237,"depth":444,"text":238},{"id":260,"depth":444,"text":261},{"id":302,"depth":414,"text":303},{"id":343,"depth":414,"text":344,"children":679},[680,681,682],{"id":350,"depth":444,"text":351},{"id":399,"depth":444,"text":400},{"id":539,"depth":444,"text":540},{"id":576,"depth":414,"text":577},{"id":592,"depth":414,"text":593},{"id":632,"depth":414,"text":633},"2026-05-22","In mid-May Nginx put out two back-to-back security releases closing seven vulnerabilities, including a buffer overflow in the rewrite module and an HTTP\u002F2 request injection. Here's which ones actually matter, who's affected and how to update without breaking anything.","md","\u002Fog\u002Fog-default.png",{},"nginx-tanda-cves-mayo-2026","\u002Fen\u002Fblog\u002Fnginx-cve-batch-may-2026",{"title":8,"description":687},"en\u002Fblog\u002Fnginx-cve-batch-may-2026",[696,697,698,87],"Nginx","Servers","Security","yvQX71KAK2iZjI9GV9_sdZX-FMs7_WaP_w0t_Tg5mrA",1781154907981]