ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-42055 Heap Buffer Overflow in NGINX HTTP/2 Proxy and gRPC Modules

A short review of CVE-2026-42055, a high severity heap buffer overflow in NGINX's HTTP/2 proxy and gRPC modules that can cause worker process crashes and potential remote code execution under specific non-default configurations.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-17

Brief Summary: CVE-2026-42055 Heap Buffer Overflow in NGINX HTTP/2 Proxy and gRPC Modules
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap buffer overflow in NGINX's HTTP/2 proxy and gRPC modules can be triggered remotely by an unauthenticated attacker sending oversized headers, crashing worker processes and opening the door to code execution on systems without ASLR. With NGINX powering 32.8% of all websites and roughly 4.6 million active domains, the potential blast radius of any exploitable flaw in its proxy pipeline is significant, particularly for organizations running API gateways and microservices architectures that rely on HTTP/2 upstream proxying.

CVE-2026-42055 arrives during a period of heightened scrutiny for NGINX's HTTP/2 implementation. The closely related CVE-2026-42945 ("NGINX Rift") was rapidly weaponized after disclosure, and this new vulnerability shares the same CWE classification, the same vendor, and a similar attack surface. While exploitation requires a specific combination of three non-default configuration directives, deployments that meet those criteria are often high value targets: gRPC proxies, service meshes, and HTTP/2 reverse proxies sitting in front of critical backend infrastructure.

Technical Information

Vulnerability Classification

CVE-2026-42055 is classified under CWE-122 (Heap-based Buffer Overflow). The NVD has assigned dual CVSS scores:

Scoring StandardScoreSeverity
CVSS v3.18.1High
CVSS v4.09.2Critical

The CVSS v4.0 vector string is CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. This reflects a network accessible vulnerability with high attack complexity, requiring no privileges or user interaction, but capable of high impact to confidentiality, integrity, and availability of the vulnerable system.

Affected Modules and Root Cause

The vulnerability resides in two NGINX modules: ngx_http_proxy_v2_module and ngx_http_grpc_module. Both modules handle proxying of HTTP/2 traffic to upstream servers. The core issue is in the buffer allocation logic: when NGINX constructs an upstream HTTP/2 request, the allocation does not correctly account for the full size of incoming headers. If those headers are sufficiently large (enabled by the configuration conditions described below), the resulting write exceeds the allocated heap buffer, corrupting adjacent memory in the NGINX worker process.

Required Configuration Conditions

This vulnerability is only exploitable when all three of the following non-default configuration conditions are simultaneously present in a location block:

  1. HTTP/2 proxying enabled: The proxy_http_version directive is set to 2, or the grpc_pass directive is used to proxy gRPC traffic over HTTP/2.
  2. Invalid header processing enabled: The ignore_invalid_headers directive is set to off, meaning NGINX will accept and process headers that would otherwise be rejected as malformed.
  3. Oversized header buffers: The large_client_header_buffers directive is configured with a per-buffer size exceeding 2 megabytes.

Because all three conditions deviate from NGINX defaults, the vulnerable configuration surface is narrower than the full install base. However, deployments that proxy HTTP/2 or gRPC traffic to upstream backends, particularly in API gateway or microservices environments, are more likely to have these settings in place.

Attack Flow

The exploitation proceeds through the following steps:

  1. The attacker identifies a vulnerable NGINX instance meeting all three configuration conditions. This could be discovered through header size probing or configuration disclosure.
  2. The attacker sends an HTTP request containing extremely large headers to a location block configured for HTTP/2 proxying.
  3. Because ignore_invalid_headers is set to off, NGINX accepts and processes these oversized headers rather than rejecting them at the parsing stage.
  4. The large_client_header_buffers setting (above 2 MB) allocates sufficient memory to receive the incoming headers on the client side.
  5. When NGINX constructs the upstream HTTP/2 request via the proxy_v2 or gRPC module, the buffer allocation for the outbound request does not correctly account for the full header size. The module writes beyond the allocated heap buffer.
  6. The heap corruption affects adjacent memory in the NGINX worker process.

The F5 advisory notes "conditions beyond their control," indicating that the attacker cannot guarantee exploitation success on every attempt. The heap layout and internal state of the worker process at the time of the overflow determine whether the corruption results in a simple crash or a controllable memory write.

Impact Analysis

Denial of Service: The immediate and most reliable impact is a worker process crash and restart. NGINX's multi-worker architecture limits the blast radius of a single worker crash, but repeated exploitation can cause persistent service degradation across all workers.

Remote Code Execution: The more severe outcome is arbitrary code execution, achievable when:

  • Address Space Layout Randomization (ASLR) is disabled on the host system, allowing the attacker to predict memory addresses.
  • The attacker can bypass ASLR through a separate information leak vulnerability or side channel attack.

On systems with ASLR enabled and no bypass available, code execution is significantly more difficult but not categorically impossible, as heap corruption can still be leveraged for probabilistic exploitation.

Relationship to CVE-2026-42926

CVE-2026-42055 is closely related to CVE-2026-42926, another vulnerability in the ngx_http_proxy_v2_module. CVE-2026-42926 (CVSS v3.1: 5.8, CVSS v4.0: 6.3) allows a remote unauthenticated attacker to inject arbitrary HTTP/2 frame headers and payload bytes into the upstream connection when NGINX is configured with proxy_set_body and proxy_http_version set to 2. This enables desynchronization between NGINX and the upstream HTTP/2 peer. Both CVEs affect the same module and share the HTTP/2 proxy attack surface, but CVE-2026-42055 carries higher severity due to its code execution potential. Organizations should address both vulnerabilities together.

Affected Systems and Versions

Based on the F5 advisory (K000161584), the following products and versions are affected:

ProductAffected VersionsFixed Version
NGINX PlusR37.0.0 through R37.0.1R37.0.2.1
NGINX Open Source (mainline)1.31.11.31.2
NGINX Open Source (stable)1.30.0 through 1.30.21.30.3

Vulnerable configuration requirements (all three must be present simultaneously):

  • proxy_http_version 2 or grpc_pass directive in use
  • ignore_invalid_headers off
  • large_client_header_buffers with a per-buffer size exceeding 2 megabytes

Software versions that have reached End of Technical Support (EoTS) are not evaluated by F5 and may remain vulnerable. Organizations running EoTS versions should upgrade to a supported branch.

Vendor Security History

The 2025 to 2026 period has seen a notable concentration of NGINX vulnerabilities, particularly in HTTP/2 and proxy related modules:

CVE IDModuleSeverity (v3.1 / v4.0)
CVE-2026-42945ngx_http_rewrite_moduleMedium (nginx.org) / Critical 9.2 (NVD)
CVE-2026-42926ngx_http_proxy_v2_module5.8 / 6.3
CVE-2026-42055ngx_http_proxy_v2_module, ngx_http_grpc_module8.1 / 9.2
CVE-2026-40460ngx_quic_moduleMedium
CVE-2026-42946ngx_http_scgi_module, ngx_http_uwsgi_moduleMedium
CVE-2026-27654ngx_http_dav_moduleMedium
CVE-2026-27784ngx_http_mp4_moduleMedium
CVE-2026-32647ngx_http_mp4_moduleMedium

Historically, NGINX had relatively few critical severity vulnerabilities. The closest historical parallels are the 2014 SPDY vulnerabilities (CVE-2014-0133, CVE-2014-0088) and the 2013 stack buffer overflow (CVE-2013-2028). The current cluster of HTTP/2 proxy findings suggests this area of the codebase has become a productive target for security researchers, and F5 has been responsive in issuing advisories and patches. However, the volume of recent findings raises questions about the depth of the original HTTP/2 proxy implementation's security review.

Of particular concern is CVE-2026-42945 ("NGINX Rift"), which was confirmed to be actively exploited shortly after disclosure. SecurityWeek reported rapid weaponization, and the CSA Singapore advisory confirmed both active exploitation and proof of concept availability. Proofpoint's May 2026 threat intelligence report identifies 12 distinct 2026 CVEs being actively exploited in network-facing attacks, with threat actors including TA422 (Russia linked, APT28), TA406 (DPRK aligned), and TA569 (SocGholish) all demonstrating opportunistic use of public proof of concept code. While CVE-2026-42055 has not yet been observed in active exploitation, the pattern established by CVE-2026-42945 suggests the window between disclosure and weaponization is narrowing.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization