ALPINE-CVE-2026-42934
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-42934
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-42934.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-42934
- Upstream
- Published
- 2026-05-13T16:16:49.910Z
- Modified
- 2026-06-17T16:30:05.248163581Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When charset, sourcecharset, and charsetmap and proxypass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- References
Affected packages
Alpine:v3.22 / nginx
Package
- Name
- nginx
- Purl
- pkg:apk/alpine/nginx?arch=source
Alpine:v3.23 / nginx
Package
- Name
- nginx
- Purl
- pkg:apk/alpine/nginx?arch=source