NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITM
CVE-2026-42946 Published on May 13, 2026

NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-42946 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Types

What is a Stack Exhaustion Vulnerability?

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

CVE-2026-42946 has been classified to as a Stack Exhaustion vulnerability or weakness.

What is an Untrusted pointer offset Vulnerability?

The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

CVE-2026-42946 has been classified to as an Untrusted pointer offset vulnerability or weakness.


Products Associated with CVE-2026-42946

stack.watch emails you whenever new vulnerabilities are published in F5 Networks Nginx Plus or F5 Networks Nginx Open Source. Just hit a watch button to start following.

F5 Networks Nginx Plus
 
F5 Networks Nginx Open Source
 

Affected Versions

F5 NGINX Plus: F5 NGINX Open Source: