{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* SECURITY UPDATE: response injection from SSL upstream when a MITM-positioned\n backend delivers a plain text response before the TLS handshake completes\n - debian/patches/CVE-2026-1642.patch: reject plain text reads in\n ngx_http_upstream_process_header when u->ssl is set but c->ssl is NULL\n - CVE-2026-1642\n * SECURITY UPDATE: memory disclosure and worker crash in\n ngx_http_scgi_module and ngx_http_uwsgi_module when scgi_pass or\n uwsgi_pass is configured and a MITM-positioned upstream returns an\n invalid status line, due to header parsing resuming with a stale\n r->state after the status-line fallback\n - debian/patches/CVE-2026-42946.patch: reset r->state to 0 in the\n NGX_ERROR fallback branch of ngx_http_scgi_process_status_line and\n ngx_http_uwsgi_process_status_line before delegating to the\n generic header parser\n - CVE-2026-42946", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_docker/debian13/advisories/2026/clsa-2026_1781257912.json" } ], "tracking": { "current_release_date": "2026-06-12T09:53:44Z", "generator": { "date": "2026-06-12T09:53:44Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1781257912", "initial_release_date": "2026-06-12T09:53:44Z", "revision_history": [ { "date": "2026-06-12T09:53:44Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "Fix of 6 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 13", "product": { "name": "Debian 13", "product_id": "Debian-13", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:13:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els9?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els7?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els6?arch=arm64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els4?arch=arm64&os_name=debian&os_version=13" } } } ], "category": "architecture", "name": "arm64" }, { "branches": [ { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els9?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els7?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els6?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els4?arch=amd64&os_name=debian&os_version=13" } } }, { "category": "product_version", "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "product": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "product_id": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/nginx1.21@1.21.6-1~trixie%2Btuxcare.els3?arch=amd64&os_name=debian&os_version=13" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "relates_to_product_reference": "Debian-13" }, { "category": "default_component_of", "full_product_name": { "name": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64 as a component of Debian 13", "product_id": "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64" }, "product_reference": "nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "relates_to_product_reference": "Debian-13" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27654", "cwe": { "id": "CWE-122", "name": "Heap-based Buffer Overflow" }, "notes": [ { "category": "description", "text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-27654" }, { "category": "external", "summary": "https://my.f5.com/manage/s/article/K000160382", "url": "https://my.f5.com/manage/s/article/K000160382" } ], "release_date": "2026-03-24T15:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-03-24T15:16:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-1642", "cwe": { "id": "CWE-349", "name": "Acceptance of Extraneous Untrusted Data With Trusted Data" }, "notes": [ { "category": "description", "text": "A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side—along with conditions beyond the attacker's control—may be able to inject plain text data into the response from an upstream proxied server.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-1642" } ], "release_date": "2026-02-04T15:02:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-02-04T15:02:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-42946", "cwe": { "id": "CWE-789", "name": "Memory Allocation with Excessive Size Value" }, "notes": [ { "category": "description", "text": "A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-42946" }, { "category": "external", "summary": "https://my.f5.com/manage/s/article/K000161027", "url": "https://my.f5.com/manage/s/article/K000161027" } ], "release_date": "2026-05-13T16:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-05-13T16:16:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-32647", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-32647" }, { "category": "external", "summary": "https://my.f5.com/manage/s/article/K000160366", "url": "https://my.f5.com/manage/s/article/K000160366" } ], "release_date": "2026-03-24T15:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-03-24T15:16:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-27651", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-27651" }, { "category": "external", "summary": "https://my.f5.com/manage/s/article/K000160383", "url": "https://my.f5.com/manage/s/article/K000160383" } ], "release_date": "2026-03-24T15:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-03-24T15:16:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-27784", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "known_affected": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-docker/cve/CVE-2026-27784" }, { "category": "external", "summary": "https://my.f5.com/manage/s/article/K000160364", "url": "https://my.f5.com/manage/s/article/K000160364" } ], "release_date": "2026-03-24T15:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-06-12T09:51:55.970455Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ], "url": "https://cve.tuxcare.com/els-docker/releases/CLSA-2026:1781257912" }, { "category": "none_available", "date": "2026-03-24T15:16:00Z", "details": "Affected", "product_ids": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els3.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els4.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els6.arm64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els7.arm64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.amd64", "Debian-13:nginx1.21-0:1.21.6-1~trixie+tuxcare.els9.arm64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }