CVE-2026-48142: NGINX Information Disclosure Vulnerability

CVE-2026-48142 Overview

CVE-2026-48142 is a heap buffer over-read vulnerability in the ngx_http_charset_module of NGINX Plus and NGINX Open Source. The flaw is triggered when a location block is configured with both source_charset utf-8; and a charset directive such as charset koi8-r;. Remote, unauthenticated attackers can send crafted requests that, combined with conditions outside attacker control, cause an out-of-bounds read in the NGINX worker process. Successful exploitation can result in limited disclosure of process memory or a worker restart. The issue is classified under CWE-125: Out-of-bounds Read. End-of-Technical-Support (EoTS) versions were not evaluated by the vendor.

Critical Impact
Unauthenticated remote attackers can trigger heap buffer over-reads in the NGINX worker process, leading to limited memory disclosure or denial of service via worker restart.

Affected Products

NGINX Open Source (supported releases prior to the fixed version)
NGINX Plus (supported releases prior to the fixed version)
Deployments using ngx_http_charset_module with mismatched source_charset and charset directives

Discovery Timeline

2026-06-17 - CVE-2026-48142 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48142

Vulnerability Analysis

The vulnerability resides in the ngx_http_charset_module, which performs character set conversion on response bodies served or proxied through NGINX. When both source_charset and charset directives are set in a location block and the two character sets differ, the module recodes outgoing content. Under specific upstream conditions outside attacker control, the conversion logic reads past the boundary of a heap buffer.

The over-read exposes adjacent heap memory to the response stream or causes the worker process to crash and restart. Because NGINX commonly runs as a front-end reverse proxy and TLS terminator, leaked memory may contain residual data from prior requests, including headers or response fragments handled by the same worker.

Root Cause

The root cause is improper boundary handling during charset translation in the response filter chain. The module assumes a consistent relationship between the declared source_charset (UTF-8 in this configuration) and the byte sequences it processes. When the actual byte stream diverges from the declared encoding, internal length calculations during conversion to the target charset (for example, KOI8-R) result in a read beyond the allocated heap buffer, matching the [CWE-125] pattern.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP requests to an NGINX endpoint whose location block is configured with both source_charset utf-8; and a differing charset directive. Exploitation depends on conditions the attacker cannot directly set, such as the byte content returned by upstream services or static files. This dependency increases attack complexity but does not eliminate exploitability against busy production servers.

No verified public proof-of-concept code is available at the time of publication. See the F5 Knowledge Center Article for vendor technical details.

Detection Methods for CVE-2026-48142

Indicators of Compromise

Unexpected NGINX worker process restarts recorded in error.log with signal 11 (SIGSEGV) or worker process exited on signal entries.
Response anomalies such as truncated bodies or unexpected binary fragments appearing in responses from location blocks that use the charset directive.
Spikes in 5xx response codes or connection resets originating from charset-converting endpoints.

Detection Strategies

Audit NGINX configurations for location blocks that combine source_charset utf-8; with a different charset value, since these are the only configurations affected.
Correlate NGINX worker crash events with inbound request patterns to identify probing behavior.
Inspect outbound response payloads in staging or canary environments for unexpected memory content following requests targeting charset-enabled locations.

Monitoring Recommendations

Forward NGINX error.log and access.log to a centralized log platform and alert on repeated worker exits within short time windows.
Track per-endpoint error rates and crash counters using metrics exporters such as the NGINX Prometheus exporter.
Enable HTTP response size and entropy monitoring on charset-converted endpoints to surface anomalous payloads.

How to Mitigate CVE-2026-48142

Immediate Actions Required

Inventory all NGINX Plus and NGINX Open Source instances and identify any location blocks combining source_charset with a differing charset directive.
Apply the vendor-supplied patched release as soon as it is available in your distribution channel.
Restrict exposure of affected endpoints behind authentication or network ACLs until patching is complete.

Patch Information

F5 publishes fixed versions and remediation guidance for NGINX Plus and NGINX Open Source in the F5 Knowledge Center Article K000161585. Software versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported branch before applying fixes.

Workarounds

Remove the charset directive from affected location blocks if character set conversion is not strictly required.
Align source_charset and charset to the same value so the module skips conversion.
Move charset conversion responsibility to the upstream application and have NGINX serve the already-encoded content unchanged.

bash

# Configuration example: align source_charset and charset to disable conversion
location /api/ {
    # Vulnerable pattern (do not use):
    # source_charset utf-8;
    # charset koi8-r;

    # Safer pattern: matching charsets skip the affected conversion path
    source_charset utf-8;
    charset utf-8;

    proxy_pass http://backend;
}