Introduction
A heap buffer overflow in NGINX's HTTP/2 proxy and gRPC modules can be triggered remotely by an unauthenticated attacker sending oversized headers, crashing worker processes and opening the door to code execution on systems without ASLR. With NGINX powering 32.8% of all websites and roughly 4.6 million active domains, the potential blast radius of any exploitable flaw in its proxy pipeline is significant, particularly for organizations running API gateways and microservices architectures that rely on HTTP/2 upstream proxying.
CVE-2026-42055 arrives during a period of heightened scrutiny for NGINX's HTTP/2 implementation. The closely related CVE-2026-42945 ("NGINX Rift") was rapidly weaponized after disclosure, and this new vulnerability shares the same CWE classification, the same vendor, and a similar attack surface. While exploitation requires a specific combination of three non-default configuration directives, deployments that meet those criteria are often high value targets: gRPC proxies, service meshes, and HTTP/2 reverse proxies sitting in front of critical backend infrastructure.
Technical Information
Vulnerability Classification
CVE-2026-42055 is classified under CWE-122 (Heap-based Buffer Overflow). The NVD has assigned dual CVSS scores:
| Scoring Standard | Score | Severity |
|---|---|---|
| CVSS v3.1 | 8.1 | High |
| CVSS v4.0 | 9.2 | Critical |
The CVSS v4.0 vector string is CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. This reflects a network accessible vulnerability with high attack complexity, requiring no privileges or user interaction, but capable of high impact to confidentiality, integrity, and availability of the vulnerable system.
Affected Modules and Root Cause
The vulnerability resides in two NGINX modules: ngx_http_proxy_v2_module and ngx_http_grpc_module. Both modules handle proxying of HTTP/2 traffic to upstream servers. The core issue is in the buffer allocation logic: when NGINX constructs an upstream HTTP/2 request, the allocation does not correctly account for the full size of incoming headers. If those headers are sufficiently large (enabled by the configuration conditions described below), the resulting write exceeds the allocated heap buffer, corrupting adjacent memory in the NGINX worker process.
Required Configuration Conditions
This vulnerability is only exploitable when all three of the following non-default configuration conditions are simultaneously present in a location block:
- HTTP/2 proxying enabled: The
proxy_http_versiondirective is set to2, or thegrpc_passdirective is used to proxy gRPC traffic over HTTP/2. - Invalid header processing enabled: The
ignore_invalid_headersdirective is set tooff, meaning NGINX will accept and process headers that would otherwise be rejected as malformed. - Oversized header buffers: The
large_client_header_buffersdirective is configured with a per-buffer size exceeding 2 megabytes.
Because all three conditions deviate from NGINX defaults, the vulnerable configuration surface is narrower than the full install base. However, deployments that proxy HTTP/2 or gRPC traffic to upstream backends, particularly in API gateway or microservices environments, are more likely to have these settings in place.
Attack Flow
The exploitation proceeds through the following steps:
- The attacker identifies a vulnerable NGINX instance meeting all three configuration conditions. This could be discovered through header size probing or configuration disclosure.
- The attacker sends an HTTP request containing extremely large headers to a location block configured for HTTP/2 proxying.
- Because
ignore_invalid_headersis set tooff, NGINX accepts and processes these oversized headers rather than rejecting them at the parsing stage. - The
large_client_header_bufferssetting (above 2 MB) allocates sufficient memory to receive the incoming headers on the client side. - When NGINX constructs the upstream HTTP/2 request via the proxy_v2 or gRPC module, the buffer allocation for the outbound request does not correctly account for the full header size. The module writes beyond the allocated heap buffer.
- The heap corruption affects adjacent memory in the NGINX worker process.
The F5 advisory notes "conditions beyond their control," indicating that the attacker cannot guarantee exploitation success on every attempt. The heap layout and internal state of the worker process at the time of the overflow determine whether the corruption results in a simple crash or a controllable memory write.
Impact Analysis
Denial of Service: The immediate and most reliable impact is a worker process crash and restart. NGINX's multi-worker architecture limits the blast radius of a single worker crash, but repeated exploitation can cause persistent service degradation across all workers.
Remote Code Execution: The more severe outcome is arbitrary code execution, achievable when:
- Address Space Layout Randomization (ASLR) is disabled on the host system, allowing the attacker to predict memory addresses.
- The attacker can bypass ASLR through a separate information leak vulnerability or side channel attack.
On systems with ASLR enabled and no bypass available, code execution is significantly more difficult but not categorically impossible, as heap corruption can still be leveraged for probabilistic exploitation.
Relationship to CVE-2026-42926
CVE-2026-42055 is closely related to CVE-2026-42926, another vulnerability in the ngx_http_proxy_v2_module. CVE-2026-42926 (CVSS v3.1: 5.8, CVSS v4.0: 6.3) allows a remote unauthenticated attacker to inject arbitrary HTTP/2 frame headers and payload bytes into the upstream connection when NGINX is configured with proxy_set_body and proxy_http_version set to 2. This enables desynchronization between NGINX and the upstream HTTP/2 peer. Both CVEs affect the same module and share the HTTP/2 proxy attack surface, but CVE-2026-42055 carries higher severity due to its code execution potential. Organizations should address both vulnerabilities together.
Affected Systems and Versions
Based on the F5 advisory (K000161584), the following products and versions are affected:
| Product | Affected Versions | Fixed Version |
|---|---|---|
| NGINX Plus | R37.0.0 through R37.0.1 | R37.0.2.1 |
| NGINX Open Source (mainline) | 1.31.1 | 1.31.2 |
| NGINX Open Source (stable) | 1.30.0 through 1.30.2 | 1.30.3 |
Vulnerable configuration requirements (all three must be present simultaneously):
proxy_http_version 2orgrpc_passdirective in useignore_invalid_headers offlarge_client_header_bufferswith a per-buffer size exceeding 2 megabytes
Software versions that have reached End of Technical Support (EoTS) are not evaluated by F5 and may remain vulnerable. Organizations running EoTS versions should upgrade to a supported branch.
Vendor Security History
The 2025 to 2026 period has seen a notable concentration of NGINX vulnerabilities, particularly in HTTP/2 and proxy related modules:
| CVE ID | Module | Severity (v3.1 / v4.0) |
|---|---|---|
| CVE-2026-42945 | ngx_http_rewrite_module | Medium (nginx.org) / Critical 9.2 (NVD) |
| CVE-2026-42926 | ngx_http_proxy_v2_module | 5.8 / 6.3 |
| CVE-2026-42055 | ngx_http_proxy_v2_module, ngx_http_grpc_module | 8.1 / 9.2 |
| CVE-2026-40460 | ngx_quic_module | Medium |
| CVE-2026-42946 | ngx_http_scgi_module, ngx_http_uwsgi_module | Medium |
| CVE-2026-27654 | ngx_http_dav_module | Medium |
| CVE-2026-27784 | ngx_http_mp4_module | Medium |
| CVE-2026-32647 | ngx_http_mp4_module | Medium |
Historically, NGINX had relatively few critical severity vulnerabilities. The closest historical parallels are the 2014 SPDY vulnerabilities (CVE-2014-0133, CVE-2014-0088) and the 2013 stack buffer overflow (CVE-2013-2028). The current cluster of HTTP/2 proxy findings suggests this area of the codebase has become a productive target for security researchers, and F5 has been responsive in issuing advisories and patches. However, the volume of recent findings raises questions about the depth of the original HTTP/2 proxy implementation's security review.
Of particular concern is CVE-2026-42945 ("NGINX Rift"), which was confirmed to be actively exploited shortly after disclosure. SecurityWeek reported rapid weaponization, and the CSA Singapore advisory confirmed both active exploitation and proof of concept availability. Proofpoint's May 2026 threat intelligence report identifies 12 distinct 2026 CVEs being actively exploited in network-facing attacks, with threat actors including TA422 (Russia linked, APT28), TA406 (DPRK aligned), and TA569 (SocGholish) all demonstrating opportunistic use of public proof of concept code. While CVE-2026-42055 has not yet been observed in active exploitation, the pattern established by CVE-2026-42945 suggests the window between disclosure and weaponization is narrowing.
References
- NVD: CVE-2026-42055
- F5 Advisory K000161584: NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability CVE-2026-42055
- F5 Advisory K000161131: NGINX ngx_http_proxy_v2_module vulnerability CVE-2026-42926
- F5 Advisory K000161019: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945
- NGINX Official Security Advisories
- CSA Singapore: Multiple Vulnerabilities in F5 NGINX, BIG-IP and BIG-IQ
- SecurityWeek: Exploitation of Critical NGINX Vulnerability Begins
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- Radware: AI-Discovered HTTP/2 Bomb Affects Major Web Servers
- runZero: F5 NGINX Vulnerability: Find Impacted Systems
- NVD: CVE-2026-42945
- TechnologyChecker: Companies Using NGINX in 2026



