CVE-2026-42055 Overview
CVE-2026-42055 is a heap-based buffer overflow [CWE-122] affecting NGINX Plus and NGINX Open Source. The flaw resides in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules when proxying HTTP/2 traffic upstream. A remote, unauthenticated attacker can send oversized headers during the creation of an upstream request, corrupting heap memory in the NGINX worker process. Successful exploitation triggers a worker restart and, on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed, enables arbitrary code execution. The vulnerability requires a specific non-default configuration to be reachable.
Critical Impact
Remote unauthenticated attackers can crash NGINX worker processes and potentially execute code on hosts where ASLR is disabled or bypassed.
Affected Products
- NGINX Plus (versions supported by F5; End of Technical Support releases are not evaluated)
- NGINX Open Source builds using ngx_http_proxy_v2_module
- NGINX Open Source builds using ngx_http_grpc_module
Discovery Timeline
- 2026-06-17 - CVE-2026-42055 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-42055
Vulnerability Analysis
The vulnerability is a heap-based buffer overflow in the NGINX worker process. It is reachable only when three configuration conditions align. First, proxy_http_version must be set to 2 or the grpc_pass directive must be used to send upstream traffic over HTTP/2. Second, ignore_invalid_headers must be set to off. Third, large_client_header_buffers must be configured to a size greater than 2 megabytes.
When these conditions are met, an attacker who submits a request containing very large headers causes NGINX to allocate undersized heap memory while constructing the upstream HTTP/2 or gRPC request. Subsequent header copying writes past the allocation boundary, corrupting adjacent heap structures.
Root Cause
The root cause is an incorrect size calculation in the HTTP/2 and gRPC upstream modules when handling headers larger than 2 megabytes. The destination buffer is sized using assumptions that do not hold when ignore_invalid_headers is off and oversized large_client_header_buffers are configured. The mismatch between allocated buffer length and copied header length produces the heap overflow tracked under [CWE-122].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request with abnormally large headers to a vulnerable NGINX instance acting as an HTTP/2 or gRPC reverse proxy. The worker process parses the request, allocates the upstream buffer, and writes past it. The immediate consequence is a worker crash and restart, producing denial of service. If ASLR is disabled on the host or the attacker can leak addresses to defeat it, the overflow can be steered toward code execution in the worker context. F5 notes the attack also depends on conditions outside the attacker's control, which is reflected in the high attack complexity rating.
No verified public exploit code is available. See the F5 Security Article K000161584 for vendor technical details.
Detection Methods for CVE-2026-42055
Indicators of Compromise
- Unexpected NGINX worker process crashes or restarts logged in error.log with signal 11 (SIGSEGV) entries originating from ngx_http_proxy_v2_module or ngx_http_grpc_module.
- HTTP requests to HTTP/2 or gRPC virtual hosts containing header sections that approach or exceed 2 megabytes in total size.
- Repeated upstream connection failures correlated with malformed or oversized client headers from a single source.
Detection Strategies
- Inspect NGINX configurations for the combination of proxy_http_version 2 or grpc_pass, ignore_invalid_headers off, and large_client_header_buffers exceeding 2 megabytes.
- Deploy WAF or reverse proxy rules in front of NGINX to reject requests with cumulative header sizes above a safe threshold such as 64 kilobytes.
- Forward NGINX error.log and worker crash events into a SIEM and alert on repeated worker process exit events.
Monitoring Recommendations
- Track worker process restart counts over time and alert on deviations from baseline.
- Monitor request size distribution at the edge, flagging anomalies in HTTP/2 and gRPC traffic patterns.
- Correlate source IP addresses sending oversized headers with downstream upstream connection errors.
How to Mitigate CVE-2026-42055
Immediate Actions Required
- Identify all NGINX Plus and NGINX Open Source instances proxying HTTP/2 or gRPC upstream traffic and review their configurations for the vulnerable directive combination.
- Apply the fixed NGINX Plus or NGINX Open Source release referenced in F5 Security Article K000161584.
- Verify that ASLR is enabled on every host running NGINX to limit the impact of any residual exploitation attempts.
Patch Information
F5 has published remediation guidance and fixed software versions in F5 Security Article K000161584. Software releases that have reached End of Technical Support are not evaluated and should be upgraded to a supported, patched branch.
Workarounds
- Set ignore_invalid_headers to on (the default) on server blocks that use proxy_http_version 2 or grpc_pass.
- Reduce large_client_header_buffers so the per-buffer size does not exceed 2 megabytes.
- Where HTTP/2 upstream proxying is not required, revert proxy_http_version to 1.1 until the patch is applied.
# Configuration example: safe NGINX directives that avoid the vulnerable combination
http {
# Keep invalid header rejection enabled (default)
ignore_invalid_headers on;
# Keep large_client_header_buffers below the 2 MB threshold
large_client_header_buffers 4 16k;
server {
listen 443 ssl http2;
location / {
# Use HTTP/1.1 upstream unless HTTP/2 is strictly required
proxy_http_version 1.1;
proxy_pass http://backend;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

