UBUNTU-CVE-2026-28755

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-28755
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28755.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-28755
Upstream
  • CVE-2026-28755
Downstream
Related
Published
2026-03-24T15:16:00Z
Modified
2026-04-28T16:37:11.127936Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

NGINX Plus and NGINX Open Source have a vulnerability in the ngxstreamsslmodule module due to the improper handling of revoked certificates when configured with the sslverifyclient on and sslocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

Affected packages

Ubuntu:24.04:LTS / nginx

Package

Name
nginx
Purl
pkg:deb/ubuntu/nginx@1.24.0-2ubuntu7.7?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.0-2ubuntu7.7

Affected versions

1.*
1.24.0-1ubuntu1
1.24.0-2ubuntu1
1.24.0-2ubuntu2
1.24.0-2ubuntu3
1.24.0-2ubuntu4
1.24.0-2ubuntu6
1.24.0-2ubuntu7
1.24.0-2ubuntu7.1
1.24.0-2ubuntu7.3
1.24.0-2ubuntu7.4
1.24.0-2ubuntu7.5
1.24.0-2ubuntu7.6

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "libnginx-mod-http-geoip",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-http-image-filter",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-http-perl",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-http-xslt-filter",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-mail",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-stream",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "libnginx-mod-stream-geoip",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx-common",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx-core",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx-extras",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx-full",
            "binary_version": "1.24.0-2ubuntu7.7"
        },
        {
            "binary_name": "nginx-light",
            "binary_version": "1.24.0-2ubuntu7.7"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28755.json"

Ubuntu:25.10 / nginx

Package

Name
nginx
Purl
pkg:deb/ubuntu/nginx@1.28.0-6ubuntu1.2?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.0-6ubuntu1.2

Affected versions

1.*
1.26.3-2ubuntu1
1.26.3-3ubuntu1
1.26.3-3ubuntu2
1.26.3-3ubuntu3
1.28.0-3ubuntu1
1.28.0-4ubuntu1
1.28.0-6ubuntu1
1.28.0-6ubuntu1.1

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "libnginx-mod-http-geoip",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-http-image-filter",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-http-perl",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-http-xslt-filter",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-mail",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-stream",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "libnginx-mod-stream-geoip",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx-common",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx-core",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx-extras",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx-full",
            "binary_version": "1.28.0-6ubuntu1.2"
        },
        {
            "binary_name": "nginx-light",
            "binary_version": "1.28.0-6ubuntu1.2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-28755.json"