CVE-2022-41743

Name of the Vulnerable Software and Affected Versions NGINX Plus versions prior to R27 P1 and R26 P1

Description The issue is related to a buffer overflow in the ngx http hls module of NGINX Ingress Controller, which can be exploited to cause a denial of service or potentially other impacts. This can happen when a specially crafted audio or video file is processed by the module, allowing a local attacker to corrupt NGINX worker memory. The attack is only possible if the hls directive is used in the configuration file and the attacker can trigger the processing of a specially crafted file.

Recommendations For NGINX Plus versions prior to R27 P1, update to version R27 P1 or later to resolve the issue. For NGINX Plus versions prior to R26 P1, update to version R26 P1 or later to resolve the issue. As a temporary workaround, consider disabling the ngx http hls module until a patch is available, or restrict the use of the hls directive in the configuration file to minimize the risk of exploitation.