CVE-2026-42934

NGINX Plus and NGINX Open Source have a vulnerability in the ngx http charset module module. When charset, source charset, and charset map and proxy pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.