Skip to main content
SecurityJuly 15, 20266 min read

nginx Patches Three CVEs, One a 9.2 Critical Bug That Sat Hidden in the Code Since 2011

nginx has patched three CVEs disclosed on July 15, 2026, in the same release: a 9.2-rated critical buffer overflow in map regex matching (CVE-2026-42533) that has been sitting in the code since 2011, a high-severity memory disclosure in the optional slice module (CVE-2026-60005), and a use-after-free in the SSI module (CVE-2026-56434) present since 2009. All three are fixed in nginx 1.30.4 stable and 1.31.3 mainline. Here is what is genuinely exploitable, what is not, and how fast to move.

Three Bugs, One Release, and Fifteen Years of Quiet Exposure

nginx shipped a security release on July 15, 2026 that patches three separate vulnerabilities at once, and the timeline behind them is the part that should worry you more than the patch notes do. The worst of the three, a heap buffer overflow rated 9.2 CRITICAL, has been sitting in the map directive's regex handling since nginx 0.9.6, released back in March 2011. A second bug, a use-after-free in the SSI module, is older still, present since version 0.8.11 in August 2009, nearly seventeen years before anyone found it. The fixes landed in nginx 1.30.4 on the stable branch and 1.31.3 on mainline. If you have not upgraded past those versions, every one of these bugs is live in your worker processes right now.

What Actually Shipped

The three vulnerabilities, confirmed against NVD and nginx's own advisories:

CVE-2026-42533 is a heap buffer overflow in the map directive when it uses regex matching and a configuration references the regex capture variables before the map's own output variable. NVD scores it 8.1 HIGH under CVSS 3.1 and 9.2 CRITICAL under the newer CVSS 4.0 scoring. It affects nginx from 0.9.6 up to but not including 1.30.4, and 1.31.2 up to 1.31.3, which is effectively every release for fifteen years.

CVE-2026-60005 is a memory disclosure in ngx_http_slice_module, the module responsible for splitting large responses into byte-range chunks. NVD rates it 8.2 HIGH on CVSS 3.1 and 8.8 HIGH on CVSS 4.0, which is worth noting because some early coverage has been calling this one Medium severity. It is not, at least not by NVD's own scoring. An unauthenticated attacker can send requests that read uninitialized worker memory or crash the process outright. The one real limit is that the slice module is not compiled in by default, it only exists if nginx was built with the --with-http_slice_module flag.

CVE-2026-56434 is a use-after-free in ngx_http_ssi_module, the Server Side Includes module. NVD gives it 6.5 MEDIUM on CVSS 3.1 but 8.3 HIGH on CVSS 4.0, and it is the oldest of the three, present since 0.8.11 in 2009. Triggering it requires SSI, proxy_pass, and proxy_buffering all configured together, and the attacker needs a man-in-the-middle position on the connection, not just anonymous internet access. That narrows the real-world path considerably, but it does not close it.

The One That Matters Most

CVE-2026-42533 is the bug to lose sleep over, and not only because of the score. It sits in code that has processed every regex-based map directive written in the last decade and a half, quietly, without anyone noticing it was there. The failure mode is a heap overflow in the worker process, and the vulnerability description states plainly that this can lead to denial-of-service or, when address space layout randomization is disabled, code execution.

That ASLR qualifier is doing a lot of work in how this bug reads, and it is worth being precise about what it means rather than either panicking over it or waving it away. ASLR ships on by default across essentially every current Linux distribution. But ASLR is a mitigation, not a lock, and mitigation bypasses are a well established category of attack technique, not a theoretical curiosity. Some containerized environments and some hardened or embedded builds run with ASLR weakened or disabled for reasons that have nothing to do with this bug, and those are exactly the environments where the code-execution path stops being hypothetical. Treat the CRITICAL score as the operative number, and treat ASLR as a second layer that might already be thinner than you assume, not as a reason to move slower.

Who Is Actually Exposed

Every nginx install running a regex map directive is exposed to CVE-2026-42533, and that is a lot of configurations, because regex maps are a common, unremarkable pattern for routing, header rewriting, and feature flagging. You do not need an unusual setup to be affected here, which is precisely what makes this one different from a niche module flaw.

CVE-2026-60005 only applies if the slice module was compiled in, which most stock nginx builds do not include by default, though a meaningful share of custom builds and some Linux distribution packages do enable it for range-request handling on large files. Check your build flags before assuming you are clear.

CVE-2026-56434 needs the specific SSI plus proxy_pass plus proxy_buffering combination and a man-in-the-middle position, which is a narrower and less common configuration. It is real, it is old, and it should still be patched, but it is not the one to treat as an emergency on its own.

What to Do Now

Upgrade to nginx 1.30.4 if you track the stable branch, or 1.31.3 if you run mainline. There is no configuration workaround for CVE-2026-42533 that does not involve either removing regex maps entirely or accepting the risk, so patching is the only real fix. While you plan the rollout:

Audit your configuration for regex-based map directives first, since that is the widest exposure and the one with no build-flag escape hatch. If you find them, prioritize those hosts.

Check your nginx build flags for --with-http_slice_module. If it is present and you use byte-range slicing, patch that host with the same urgency as the map issue, regardless of what severity label you saw elsewhere.

Confirm whether any host runs SSI with proxy_pass and proxy_buffering together. If none do, CVE-2026-56434 is a lower priority for you specifically, but patch it in the same maintenance window since you are already touching the binary.

Rebuild and redeploy container images that bundle nginx, and restart any long-running process holding an old nginx worker in memory. A package update on the host does nothing for a process that has not been restarted.

Verify the running version with nginx -v after the rollout, on every host, not just the ones you remember to check.

Fifteen years is a long time for a critical bug to sit unnoticed in one of the most widely deployed pieces of software on the internet. That is not a reason to panic about nginx as a project, security researchers and the maintainers found and fixed this the way the process is supposed to work, but it is a reason to actually run the upgrade this week rather than filing it under someday. If you want a fast audit of which of your hosts run vulnerable configurations, which builds have the slice module compiled in, and how to sequence the upgrade across a fleet without downtime, that is exactly what our security and compliance and server management work covers. For another case of a critical bug hiding in plain sight for over a decade, see our note on the Januscape KVM escape.

Sources

Talk to the engineer who will own your stack.

No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.

Related News

Security

A 16-Year-Old KVM Bug Called Januscape Lets a Guest VM Break Out to the Host on Intel and AMD

Januscape (CVE-2026-53359) is a 16-year-old use-after-free in the Linux KVM shadow MMU on both Intel and AMD, rated a guest-to-host escape by Canonical. The public proof of concept crashes the host from inside a guest, while full host takeover is claimed but not published. Upstream fixed it on July 4, but distro kernels are still pending. Here is who is exposed, the nested-virtualization mitigation, and what to do now.

Security

A 15-Year-Old Linux Kernel Bug Called GhostLock Gives Any Local User Root and Escapes Containers

GhostLock (CVE-2026-43499) is a 15-year-old use-after-free in the Linux kernel rtmutex code that lets any logged-in user become root, and in the researchers' testing escape containers. It was quietly patched upstream in May, but Nebula Security has now published a working exploit, which changes the risk for anyone running shared or multi-tenant Linux. Here is who is actually exposed and what to do.

Security

The New libssh2 SSH Flaw Is Client-Side, Not Your sshd, and apt upgrade Will Not Fix the Copies That Matter

CVE-2026-55200 is an out-of-bounds write in the libssh2 client library that a malicious or compromised SSH server can use to corrupt a connecting client's memory, and a public proof-of-concept is already out. The corrections that matter: it is client-side and not an OpenSSH or sshd bug, the severity rating is disputed across scorers, and the real cleanup is finding the statically linked and vendored copies a distribution update never touches.