CVE-2026-42946

6.5 MEDIUM

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an...

Published: 2026-05-13 · Last updated: 2026-06-16

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
CWE: CWE-789, CWE-823

Affected products

Vendor	Product
f5	dos, nginx_app_protect_dos, nginx_app_protect_waf

Description

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42946
[Vendor advisory]https://my.f5.com/manage/s/article/K000161027

Related CVEs

Same vendor

CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
CVE-2026-9256 — NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module (8.1 HIGH)
CVE-2026-8711 — NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (... (8.1 HIGH)
CVE-2009-3555 — The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in... (9.8 CRITICAL)

Same CWE

CVE-2026-44967 — OpenTelemetry-cpp is the C++ implementation of OpenTelemetry (5.3 MEDIUM)
CVE-2026-47734 — Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
CVE-2026-10142 — kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-i... (7.5 HIGH)
CVE-2026-52759 — Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause ... (5.5 MEDIUM)
CVE-2026-52753 — Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers withou... (5.5 MEDIUM)