CVE-2026-40701 Overview
CVE-2026-40701 is a heap use-after-free vulnerability [CWE-416] affecting NGINX Plus and NGINX Open Source. The flaw resides in the ngx_http_ssl_module module when specific TLS client verification options are enabled. Affected configurations include the ssl_verify_client directive set to on or optional, combined with ssl_ocsp set to on or leaf parameters configured with a resolver.
An unauthenticated remote attacker can send crafted requests with conditions beyond its control to trigger the heap use-after-free in the NGINX worker process. Successful exploitation may result in limited data modification or worker process restarts.
Critical Impact
An unauthenticated attacker on the network can trigger memory corruption in NGINX worker processes, leading to worker restarts and limited integrity impact on systems using client certificate verification with OCSP stapling.
Affected Products
- NGINX Plus (versions still under Technical Support)
- NGINX Open Source (versions still under Technical Support)
- Configurations using ngx_http_ssl_module with ssl_verify_client on|optional and ssl_ocsp on or leaf resolver settings
Discovery Timeline
- 2026-05-13 - CVE-2026-40701 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40701
Vulnerability Analysis
The vulnerability is a heap use-after-free condition classified under [CWE-416]. It manifests in NGINX's HTTP SSL module during client certificate verification workflows that involve Online Certificate Status Protocol (OCSP) validation. The issue arises only when the server is configured to verify client certificates and perform OCSP checks against an external responder.
When an unauthenticated attacker submits requests under specific external conditions, the NGINX worker process accesses heap memory after it has been freed. This results in undefined behavior within the worker process. The impact is limited to integrity loss and availability degradation through worker process restarts, with no direct path to remote code execution disclosed in the advisory.
The EPSS score is 0.026%, indicating a low probability of observed exploitation in the near term. No public proof-of-concept has been reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper management of heap-allocated objects during the OCSP validation flow within ngx_http_ssl_module. A reference to a freed memory region is reused under attacker-influenced conditions, satisfying the classic use-after-free pattern.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker establishes a TLS connection to an NGINX instance configured with ssl_verify_client and ssl_ocsp and submits requests that trigger the vulnerable code path during certificate verification.
No verified exploitation code is available. Refer to the F5 Security Article K000161021 for vendor-provided technical details on the vulnerable code paths and mitigations.
Detection Methods for CVE-2026-40701
Indicators of Compromise
- Unexpected NGINX worker process restarts logged in error.log with signal-related termination messages
- Abnormal volumes of TLS client certificate verification attempts from unauthenticated sources
- OCSP validation errors or timeouts correlated with worker process crashes
Detection Strategies
- Monitor NGINX error.log for repeated worker crashes referencing SSL or OCSP code paths
- Inspect TLS handshake telemetry for repeated client certificate submissions from a single source
- Correlate process restart events with TLS endpoint traffic spikes to identify exploitation patterns
Monitoring Recommendations
- Enable verbose NGINX error logging on TLS endpoints using ssl_verify_client and ssl_ocsp
- Forward NGINX logs and process telemetry to a centralized SIEM for correlation
- Alert on any NGINX worker segmentation fault or abnormal exit code in production
How to Mitigate CVE-2026-40701
Immediate Actions Required
- Identify NGINX instances using ssl_verify_client on|optional with ssl_ocsp on or a configured resolver for leaf parameters
- Apply F5-provided patches as documented in the vendor advisory once available for your branch
- Restrict network exposure of affected TLS endpoints to trusted clients where feasible
Patch Information
F5 has published guidance in F5 Security Article K000161021. Apply the fixed NGINX Plus or NGINX Open Source release referenced in the advisory. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded.
Workarounds
- Disable ssl_ocsp if OCSP validation is not strictly required by the deployment
- Remove the resolver configuration for leaf parameters if OCSP responder lookup is not needed
- Change ssl_verify_client to off on endpoints that do not require client certificate authentication
# Example: disable OCSP stapling for client certs as a temporary workaround
server {
listen 443 ssl;
ssl_verify_client on;
# ssl_ocsp on; # Comment out until patch is applied
# resolver 1.1.1.1; # Remove resolver used for OCSP leaf lookups
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
