DEBIAN-CVE-2026-42946

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-42946
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42946.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-42946
Upstream
  • CVE-2026-42946
Published
2026-05-13T16:16:50.340Z
Modified
2026-05-14T09:02:32.376875Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
Summary
[none]
Details

A vulnerability exists in the ngxhttpscgimodule and ngxhttpuwsgimodule modules that may result in excessive memory allocation or an over-read of data. When scgipass or uwsgipass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

Affected packages

Debian:11 / nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.18.0-6.1
1.18.0-6.1+deb11u1
1.18.0-6.1+deb11u2
1.18.0-6.1+deb11u3
1.18.0-6.1+deb11u4
1.18.0-6.1+deb11u5
1.18.0-7
1.18.0-8
1.18.0-9
1.20.2-1
1.20.2-2
1.20.2-3~exp1
1.22.0-1~exp1
1.22.0-1~exp2
1.22.0-1
1.22.0-2~exp1
1.22.0-2~exp2
1.22.0-2~exp3
1.22.0-2~exp4
1.22.0-2
1.22.0-3
1.22.0-3.1
1.22.1-1~exp1
1.22.1-1~exp2
1.22.1-1
1.22.1-2~exp1
1.22.1-2~exp2
1.22.1-2
1.22.1-3~exp1
1.22.1-3
1.22.1-4
1.22.1-5
1.22.1-6~exp1
1.22.1-6
1.22.1-7
1.22.1-8
1.22.1-9
1.24.0-1~exp1
1.24.0-1
1.24.0-2
1.26.0-1~exp1
1.26.0-1
1.26.0-2
1.26.0-3
1.26.2-1
1.26.3-1
1.26.3-2
1.26.3-3
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6
1.28.1-1
1.28.1-2
1.28.1-3
1.28.2-1
1.28.2-2
1.28.2-3
1.28.2-4
1.28.3-1
1.28.3-2
1.30.0-1
1.30.0-2
1.30.0-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42946.json"

Debian:12 / nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.22.1-9
1.22.1-9+deb12u1
1.22.1-9+deb12u2
1.22.1-9+deb12u3
1.22.1-9+deb12u4
1.22.1-9+deb12u5
1.22.1-9+deb12u6
1.24.0-1~exp1
1.24.0-1
1.24.0-2
1.26.0-1~exp1
1.26.0-1
1.26.0-2
1.26.0-3
1.26.2-1
1.26.3-1
1.26.3-2
1.26.3-3
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6
1.28.1-1
1.28.1-2
1.28.1-3
1.28.2-1
1.28.2-2
1.28.2-3
1.28.2-4
1.28.3-1
1.28.3-2
1.30.0-1
1.30.0-2
1.30.0-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42946.json"

Debian:13 / nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.26.3-3
1.26.3-3+deb13u1
1.26.3-3+deb13u2
1.26.3-3+deb13u3
1.26.3-3+deb13u4
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6
1.28.1-1
1.28.1-2
1.28.1-3
1.28.2-1
1.28.2-2
1.28.2-3
1.28.2-4
1.28.3-1
1.28.3-2
1.30.0-1
1.30.0-2
1.30.0-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42946.json"

Debian:14 / nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.26.3-3
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6
1.28.1-1
1.28.1-2
1.28.1-3
1.28.2-1
1.28.2-2
1.28.2-3
1.28.2-4
1.28.3-1
1.28.3-2
1.30.0-1
1.30.0-2
1.30.0-3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42946.json"