เราจำเป็นต้องใช้คุกกี้ในการใช้งานเว็บเพจ โปรดอ่านนโยบายคุกกี้เพิ่มเติม
ความปลอดภัยของผลิตภัณฑ์ ASUSTOR การรับฟังปัญหา

AS-2026-010: Nginx

2026-05-19

Severity

Important

Status

Ongoing

Statement

F5 Networks has issued the security advisory, pointing out that the Nginx web server, which uses an asynchronous event-driven framework, has a security vulnerability, CVE-2026-42945, which occurs in the ngx_http_rewrite_module component.

F5 Networks announced multiple security vulnerabilities that have been fixed in the latest release of Nginx 1.30.1.

CVE-2026-42945, CVE-2026-42946, CVE-2026-40701, CVE-2026-42934 and CVE-2026-40460 will affect ASUSTOR products with Nginx 1.18 or 1.24 installed.

  • Nginx 1.30.1 will be released to resolve the issues as soon as possible.

Affected Products

Product Severity Fixed Release Availability
ADM 5.0 with Nginx installed Important Ongoing
ADM 4.3, ADM 4.2 and 4.1 with Nginx installed Important Ongoing

Detail

  • CVE-2026-42945
    • Severity: Critical
    • CVSS4 Base Score: 9.2
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    • NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
  • CVE-2026-42946
    • Severity: High
    • CVSS4 Base Score: 8.3
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N
    • A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
  • CVE-2026-40701
    • Severity: Medium
    • CVSS4 Base Score: 6.3
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
    • NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
  • CVE-2026-42934
    • Severity: Medium
    • CVSS4 Base Score: 6.3
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
    • NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
  • CVE-2026-40460
    • Severity: Medium
    • CVSS4 Base Score: 6.9
    • CVSS4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
    • When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Reference

Revision

Revision Date Description
1 2026-05-19 Initial public release.