Nginx Releases Critical Update: Six Vulnerabilities Patched in New Stable Version
Do Son 
The web infrastructure world received a major wake-up call today as nginx-1.30.1 was released to address a suite of six security vulnerabilities. These flaws range from high-severity arbitrary code execution to memory corruption, affecting everything from legacy request processing to modern HTTP/3 connections.
The most alarming discovery in this batch is a CVSSv4 9.2 rated vulnerability within the ngx_http_rewrite_module. This flaw is tracked as CVE-2026-42945. A heap memory buffer overflow can be triggered in a worker process by a specially crafted request.
This overflow could potentially allow an attacker to achieve arbitrary code execution, effectively handing over control of the worker process.
Nginx also patched several flaws that could lead to the exposure of sensitive data or the manipulation of backend traffic.
- Backend Request Injection (CVE-2026-42926): Attackers may be able to inject data into proxied requests to an HTTP/2 backend when the proxy_set_body directive is in use.
- SCGI/uWSGI Buffer Overread (CVE-2026-42946): Rated at CVSSv4 8.3, a crafted response handled by these modules can cause a buffer overread. This allows an attacker to cause a segmentation fault or force the disclosure of worker process memory.
- Charset Decoding Overread (CVE-2026-42934): Using the charset_map directive for UTF-8 decoding can lead to a limited disclosure of worker process memory if a malicious response is sent.
Even the newest features and security protocols aren’t immune to bugs. This update addresses critical issues in QUIC and DNS processing.
- HTTP/3 Address Spoofing (CVE-2026-40460): A flaw in connection migration processing allows new QUIC streams to receive a new client address before it has been properly validated. This opens the door for address spoofing attacks.
- DNS Resolver Use-After-Free (CVE-2026-40701): If the ssl_ocsp directive is active, a use-after-free vulnerability can occur during DNS response processing. This can lead to memory corruption or a worker process crash.
Security teams should immediately move to nginx-1.30.1 to eliminate these risks. If an immediate upgrade is not possible, review your configurations to see if you can temporarily disable high-risk directives like proxy_set_body, charset_map, or ssl_ocsp, though these are often critical to production traffic.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
