On 17 June 2026 nginx shipped a fix for CVE-2026-42055, a heap-based buffer overflow that shows up when the server proxies HTTP/2 traffic to a backend. The bug lives in two specific modules: ngx_http_proxy_v2_module, which speaks HTTP/2 to the upstream when you set proxy_http_version 2, and ngx_http_grpc_module, which handles grpc_pass.
What goes wrong
When nginx builds the request toward the backend, it mishandles large headers. If a remote, unauthenticated client sends headers big enough, that data triggers a heap-based buffer overflow inside the worker process. The immediate effect is a worker crash and restart, which is a denial of service. On machines where ASLR is disabled, or where an attacker can work around it, the overflow can be pushed toward code execution.
This is not the default setup. According to F5’s advisory, several conditions have to line up at once: the proxy to the upstream must use HTTP/2 (proxy_http_version 2) or gRPC, ignore_invalid_headers must be off, and large_client_header_buffers must be configured above 2 MB. If your nginx is a plain HTTP/1.1 reverse proxy, this code path never runs.
Who’s affected
The flaw is present in nginx Open Source from 1.13.10 through 1.31.1, and in NGINX Plus when the configuration above applies. Look closely at any deployment acting as a gRPC gateway or proxying modern apps over HTTP/2 to the backend, since that’s where the real exposure sits.
Severity is rated medium. It isn’t a guaranteed RCE against every install, but a repeated worker restart is enough to take down an exposed service, and the component is reachable without credentials.
How to protect yourself
The clean path is to update. F5 fixes the bug in the stable 1.31.2 branch and the earlier mainline 1.30.3. On Ubuntu, Canonical published the patched package in USN-8458-1, covering the supported releases (26.04, 25.10, 24.04 LTS and 22.04 LTS); apply the usual security updates and reload the service.
If you can’t patch right away, check the config first. Bringing large_client_header_buffers back to its default, leaving ignore_invalid_headers on on, or avoiding HTTP/2 and gRPC proxying to the upstream breaks the chain of conditions the overflow needs. Those are reversible changes that buy you time as a temporary mitigation.
This wasn’t the only recent fix in the server: the same week brought a patch for a critical use-after-free in the HTTP/3 QUIC module, so if you run nginx it’s worth reading both advisories together.
Source
- Ubuntu Security – CVE-2026-42055: https://ubuntu.com/security/CVE-2026-42055
- NVD – CVE-2026-42055: https://nvd.nist.gov/vuln/detail/CVE-2026-42055