CVE-2026-42946 Overview
CVE-2026-42946 affects the ngx_http_scgi_module and ngx_http_uwsgi_module modules in NGINX. The flaw permits excessive memory allocation or an over-read of process memory when handling responses from upstream SCGI or uWSGI servers. An unauthenticated attacker with man-in-the-middle (MITM) positioning between NGINX and the upstream service can manipulate responses to read memory from the NGINX worker process or force a worker restart. The issue is tracked under [CWE-789: Memory Allocation with Excessive Size Value]. F5 published advisory K000161027 describing affected configurations using scgi_pass or uwsgi_pass directives.
Critical Impact
An attacker controlling upstream SCGI or uWSGI responses can read NGINX worker process memory or trigger denial of service through worker restart.
Affected Products
- NGINX with ngx_http_scgi_module enabled and scgi_pass configured
- NGINX with ngx_http_uwsgi_module enabled and uwsgi_pass configured
- F5 NGINX product lines using the affected modules (refer to vendor advisory for specific versions)
Discovery Timeline
- 2026-05-13 - CVE-2026-42946 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42946
Vulnerability Analysis
The vulnerability resides in how the ngx_http_scgi_module and ngx_http_uwsgi_module parse responses returned by upstream application servers. Both modules implement custom binary protocols where the upstream server declares the size or structure of header and body data. Improper validation of these size values allows a hostile upstream to influence NGINX memory operations.
When NGINX trusts attacker-controlled length fields, it can allocate buffers far larger than legitimate responses or read past valid buffer boundaries during parsing. The result is either memory disclosure from the worker process address space or an abnormal worker termination handled by the master process via restart.
The attack is classified as [CWE-789] because the root condition is allocation driven by an untrusted size value. Exploitation requires the attacker to occupy a network position capable of substituting upstream responses, such as a compromised internal network segment or a hijacked upstream connection.
Root Cause
The modules fail to enforce strict bounds on length fields contained in SCGI and uWSGI protocol responses. Length values supplied by the upstream are used directly in memory allocation or buffer read paths without sufficient sanity checks against the actual response payload.
Attack Vector
Exploitation requires a network-adjacent attacker capable of intercepting or impersonating the upstream SCGI or uWSGI service. The attacker returns a crafted protocol response declaring oversized or malformed length fields. NGINX then either over-allocates memory, reads beyond allocated buffers exposing worker memory contents in subsequent responses, or crashes the worker. No authentication or user interaction is required against NGINX itself.
No public proof-of-concept is available. See the F5 Knowledge Article K000161027 for vendor-supplied technical detail.
Detection Methods for CVE-2026-42946
Indicators of Compromise
- Unexpected NGINX worker process restarts recorded in error.log with signals such as SIGSEGV or messages referencing worker process exited
- Abnormally large memory allocations by NGINX worker processes correlated with upstream SCGI or uWSGI traffic
- Malformed SCGI or uWSGI protocol frames captured between NGINX and upstream application servers
Detection Strategies
- Inspect NGINX error.log for repeated worker termination and restart cycles tied to specific upstream backends
- Monitor for response payloads from upstream servers that contain length fields inconsistent with the actual byte count delivered
- Baseline NGINX worker memory consumption and alert on sudden growth correlated with scgi_pass or uwsgi_pass routes
Monitoring Recommendations
- Enable verbose logging on reverse proxy routes that use scgi_pass or uwsgi_pass and forward logs to a centralized analytics platform
- Capture and inspect upstream traffic on internal segments where NGINX communicates with SCGI or uWSGI workers
- Alert on unauthorized devices appearing on the network path between NGINX and upstream application servers
How to Mitigate CVE-2026-42946
Immediate Actions Required
- Apply the security update referenced in F5 Knowledge Article K000161027 to all NGINX instances using scgi_pass or uwsgi_pass
- Inventory NGINX configurations to identify every virtual host that relies on the SCGI or uWSGI modules
- Restrict network paths between NGINX and upstream application servers to trusted segments only
Patch Information
F5 has published vendor guidance in K000161027. Software versions that have reached End of Technical Support are not evaluated by the vendor and should be upgraded to a supported release containing the fix. Administrators should consult the advisory for the specific patched build numbers applicable to their NGINX Plus or NGINX OSS deployment.
Workarounds
- Disable the ngx_http_scgi_module or ngx_http_uwsgi_module if neither directive is required in production
- Place NGINX and upstream SCGI or uWSGI workers on the same host using Unix domain sockets to eliminate network-based MITM exposure
- Enforce mutual TLS or IPsec on connections between NGINX and remote upstream servers to prevent response tampering
# Example: restrict upstream to a local Unix socket to remove MITM exposure
location /app/ {
uwsgi_pass unix:/var/run/uwsgi/app.sock;
include uwsgi_params;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
