Memory disclosure or denial of service via ngx_http_charset_module heap buffer over-read
Summary
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. A flaw was found in NGINX. Remote, unauthenticated attackers can exploit a vulnerability in the `ngx_http_charset_module` when specific charset configurations are present. This can lead to a heap buffer over-read, potentially causing limited disclosure of memory or a denial of service by restarting the NGINX worker process. Red Hat severity: Moderate — CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). Weakness: CWE-125. Fixed by RHSA-2026:27197 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- nginx-main-1.30.3-2.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- nginx-main-1.30.3-2.hum1
- RHSA-2026:27197
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- To mitigate this issue, avoid configuring NGINX with both `source_charset utf-8;` and an additional `charset` directive within the same location block in the `ngx_http_charset_module`. If these directives are not essential for your NGINX deployment, removing one or both will prevent the vulnerability from being exploited. After modifying the NGINX configuration, reload the NGINX service using `systemctl reload nginx`. This action may temporarily interrupt active connections.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.