PT-2026-27430 · Nginx+4 · Nginx Open Source+6

Bzimport

·

Published

2026-03-24

·

Updated

2026-07-06

·

CVE-2026-27654

CVSS v4.0

8.8

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions NGINX Open Source (affected versions not specified) NGINX Plus (affected versions not specified)
Description A heap-based buffer overflow exists in the ngx http dav module module. This issue occurs when the configuration utilizes the DAV module MOVE or COPY methods in combination with prefix location (non-regular expression location configuration) and alias directives. A remote attacker can exploit this by sending a short Destination header, which may lead to the termination of the NGINX worker process, resulting in a Denial of Service (DoS), or allow the modification of source or destination file names outside the intended document root. The impact on integrity is limited as the NGINX worker process operates with low privileges.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the use of the MOVE and COPY methods within the ngx http dav module when used with prefix locations and alias directives.

Exploit

RCE

DoS

Buffer Overflow

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:6906
ALSA-2026:6907
ALSA-2026:6923
ALSA-2026:7002
ALSA-2026:7343
BDU:2026-04817
BIT-NGINX-2026-27654
BIT-NGINX-GATEWAY-2026-27654
CVE-2026-27654
OPENSUSE-SU-2026:10423-1
OPENSUSE-SU-2026:20784-1
RHSA-2026:13680
RHSA-2026:13839
RHSA-2026:14836
RHSA-2026:6906
RHSA-2026:6907
RHSA-2026:6923
RHSA-2026:7002
RHSA-2026:7343
RHSA-2026:8346
SUSE-SU-2026:1761-1
SUSE-SU-2026:1953-1
SUSE-SU-2026:21823-1
USN-8210-1
USN-8375-1

Affected Products

Linuxmint
Nginx Open Source
Nginx Plus
Nginx
Red Os
Rocky Linux
Ubuntu