Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution. This issue is classified as Important severity primarily because: Conditions for Exploitation: A remote, unauthenticated attacker can only exploit this if NGINX is explicitly configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module. Impact Limitations: While the flaw reliably causes a Denial of Service (worker restart), achieving arbitrary code execution is highly complex in modern environments as it requires the attacker to bypass or disable Address Space Layout Randomization (ASLR) Red Hat severity: Important — CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Weakness: CWE-131. Fixed by RHSA-2026:27197 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- nginx-main-1.30.3-2.hum1
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
- nginx-main-1.30.3-2.hum1
- RHSA-2026:27197
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Mitigation checklist
- To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service.
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.