diff mbox series

[scarthgap,meta-webserver] nginx: fix CVE-2026-42055

Message ID 20260701-nginx-cve-2026-42055-v1-1-3d46e5da4f1c@bootlin.com
State New
Headers show
Series [scarthgap,meta-webserver] nginx: fix CVE-2026-42055 | expand

Commit Message

Benjamin Robin (Schneider Electric) July 1, 2026, 11:06 a.m. UTC
A heap memory buffer overflow might occur in a worker process when using
a configuration with "ignore_invalid_headers off;" and
"large_client_header_buffers" with large configured values when
proxying a specially crafted request to gRPC backend, allowing an attacker
to cause worker process memory corruption or segmentation fault in a
worker process.

This is a partial cherry-pick of 131be8514da8985b15b74150521afedbf9cc4ea3
since ngx_http_proxy_v2_module.c does not exist in nginx 1.24

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
 .../recipes-httpd/nginx/files/CVE-2026-42055.patch | 102 +++++++++++++++++++++
 meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb |   1 +
 2 files changed, 103 insertions(+)


---
base-commit: b0c2c648a1af89e7a8dd4c2ec841f3bc0ed0ccb9
change-id: 20260701-nginx-cve-2026-42055-4199c305f4a8

Best regards,
--  
Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
diff mbox series

Patch

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch
new file mode 100644
index 000000000000..5bb8e94063cd
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2026-42055.patch
@@ -0,0 +1,102 @@ 
+From 2782212e79ea4d1bdd4ab0f13ac24555a5ebbc0c Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Tue, 2 Jun 2026 19:37:17 +0400
+Subject: [PATCH] Upstream: limit header length for HTTP/2 and gRPC
+
+The change applies the HTTP/2 header length limits to avoid buffer
+overflow.  See 58a7bc3406ac for details.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-42055
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/131be8514da8985b15b74150521afedbf9cc4ea3]
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ src/http/modules/ngx_http_grpc_module.c | 44 +++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
+index dfe49c58618c..f7473b11aa3e 100644
+--- a/src/http/modules/ngx_http_grpc_module.c
++++ b/src/http/modules/ngx_http_grpc_module.c
+@@ -740,6 +740,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+         tmp_len = 0;
+
+     } else {
++        if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 method: \"%V\"", &r->method_name);
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len;
+         tmp_len = r->method_name.len;
+     }
+@@ -760,6 +766,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+         uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len;
+     }
+
++    if (uri_len > NGX_HTTP_V2_MAX_FIELD) {
++        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                      "too long http2 URI");
++        return NGX_ERROR;
++    }
++
+     len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len;
+
+     if (tmp_len < uri_len) {
+@@ -769,6 +781,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+     /* :authority header */
+
+     if (!glcf->host_set) {
++        if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 host: \"%V\"", &ctx->host);
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len;
+
+         if (tmp_len < ctx->host.len) {
+@@ -799,6 +817,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+             continue;
+         }
+
++        if (key_len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 header name");
++            return NGX_ERROR;
++        }
++
++        if (val_len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 header value");
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len
+                  + NGX_HTTP_V2_INT_OCTETS + val_len;
+
+@@ -833,6 +863,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+                 continue;
+             }
+
++            if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) {
++                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                              "too long http2 header name: \"%V\"",
++                              &header[i].key);
++                return NGX_ERROR;
++            }
++
++            if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) {
++                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                              "too long http2 header value: \"%V: %V\"",
++                              &header[i].key, &header[i].value);
++                return NGX_ERROR;
++            }
++
+             len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len
+                      + NGX_HTTP_V2_INT_OCTETS + header[i].value.len;
+
+--
+2.54.0
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index dee6c6618e37..e407c1d083bc 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -15,6 +15,7 @@  SRC_URI:append = " \
                   file://CVE-2026-42946-01.patch \
                   file://CVE-2026-42946-02.patch \
                   file://CVE-2026-9256.patch \
+                  file://CVE-2026-42055.patch \
 "
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"