CVE-2026-42934 Overview
CVE-2026-42934 is a heap buffer over-read vulnerability in the ngx_http_charset_module module of NGINX Plus and NGINX Open Source. The flaw is triggered when charset, source_charset, charset_map, and proxy_pass with buffering disabled (proxy_buffering off) are configured together. Unauthenticated remote attackers can send crafted requests that, under conditions outside the attacker's direct control, cause the NGINX worker process to read beyond an allocated heap buffer. Successful exploitation can result in limited memory disclosure or a worker process restart. The vulnerability is classified as an Out-of-Bounds Read [CWE-125].
Critical Impact
Unauthenticated network attackers can cause limited memory disclosure or worker process restarts in NGINX deployments using the affected module configuration.
Affected Products
- NGINX Plus
- NGINX Open Source
- Configurations using ngx_http_charset_module with proxy_pass and disabled proxy buffering
Discovery Timeline
- 2026-05-13 - CVE-2026-42934 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42934
Vulnerability Analysis
The vulnerability resides in the ngx_http_charset_module, which transforms response bodies between character sets defined via the charset, source_charset, and charset_map directives. When NGINX proxies a response using proxy_pass with proxy_buffering off, the module processes upstream data in smaller, unbuffered chunks. Under specific input conditions, the charset filter reads past the end of an allocated heap buffer. The over-read returns adjacent heap memory contents to the response stream or triggers a fault that restarts the worker. Because the trigger depends on upstream data alignment and chunk boundaries, the attacker cannot fully control the disclosed bytes. The issue is reachable over the network without authentication or user interaction.
Root Cause
The root cause is improper boundary checking in the charset translation logic when operating on unbuffered proxied response data. The module assumes input buffers contain complete, well-formed byte sequences for the configured source charset. Partial multibyte sequences split across chunk boundaries can cause the conversion routine to read bytes beyond the buffer end. This is a classic Out-of-Bounds Read [CWE-125] caused by missing length validation before dereferencing buffer pointers.
Attack Vector
An unauthenticated attacker sends HTTP requests to an NGINX server configured with the vulnerable directive combination. The request must traverse a proxy_pass location where proxy_buffering is set to off and the charset filter is active. The upstream response, combined with the request path, must produce input that splits multibyte sequences at chunk boundaries. The attacker cannot directly control the upstream response, which limits exploit reliability. Successful triggering leaks small fragments of worker process heap memory to the client or causes a worker restart, producing a partial denial of service.
No public proof-of-concept exploit code is available. Refer to the F5 Security Advisory K000161028 for vendor technical details.
Detection Methods for CVE-2026-42934
Indicators of Compromise
- Unexpected NGINX worker process restarts logged in error.log with signal 11 (SIGSEGV) entries
- HTTP responses containing unexpected binary or non-printable bytes following text content
- Elevated rates of connection resets from NGINX during charset-transformed proxy responses
- Abnormal request patterns targeting endpoints that use proxy_pass with charset conversion
Detection Strategies
- Audit all NGINX configurations for simultaneous use of charset, source_charset, charset_map, and proxy_pass with proxy_buffering off
- Monitor nginx -T output to identify locations exposing the vulnerable directive combination
- Inspect worker process crash counts and worker_process respawn events over time
- Deploy network detections for response anomalies on charset-converted proxy endpoints
Monitoring Recommendations
- Forward NGINX error.log and access.log to a centralized log platform for correlation
- Alert on repeated worker process termination signals within short time windows
- Track HTTP 502 and connection-reset rates per proxied upstream
- Baseline response sizes on charset-enabled endpoints and alert on outliers
How to Mitigate CVE-2026-42934
Immediate Actions Required
- Apply the patched NGINX Plus or NGINX Open Source release identified in the F5 Security Advisory K000161028
- Inventory all NGINX instances and identify those running supported, non-EoTS versions
- Review configurations for the vulnerable directive combination and prioritize patching internet-facing servers
- Restart NGINX workers after patching to ensure new binaries are in use
Patch Information
F5 has published remediation guidance in F5 Security Advisory K000161028. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to a supported release. Verify the installed NGINX version using nginx -v and confirm it matches or exceeds the fixed version listed in the advisory.
Workarounds
- Enable response buffering by setting proxy_buffering on in affected location or server blocks
- Remove the charset, source_charset, or charset_map directives from configurations that proxy with buffering disabled
- Restrict access to affected endpoints using allow/deny rules until patching completes
- Place a Web Application Firewall in front of NGINX to filter malformed requests targeting charset-enabled paths
# Configuration example: enable proxy buffering to mitigate exposure
location /api/ {
proxy_pass http://upstream_backend;
proxy_buffering on; # mitigates CVE-2026-42934
# charset utf-8; # safe when buffering is enabled
# source_charset iso-8859-1;
}
# Verify installed NGINX version
nginx -v
# Validate configuration after changes
nginx -t && nginx -s reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
