CVE-2026-42055

This vulnerability involves how NGINX forwards (proxies) HTTP/2 or gRPC requests to another server. If certain settings are used together, a remote attacker can send unusually large “header” information that overflows a memory buffer inside NGINX, causing the NGINX worker to restart. In everyday terms, it’s like an input box that’s supposed to hold a certain amount of text, but under specific conditions the text can spill into the wrong memory area and make the service crash.

This matters to you if you run F5 NGINX Open Source or F5 NGINX Plus and you use the ngx_http_proxy_v2_module or ngx_http_grpc_module with proxying to HTTP/2 (via proxy_http_version 2) or gRPC (via grpc_pass). It specifically depends on configuration choices: ignore_invalid_headers set to off and large_client_header_buffers set larger than 2 megabytes. If you don’t use those directives/modules together, you may not be exposed, but you should check your NGINX configuration.

This is an AMBER issue because the reported bug can lead to a crash/restart of NGINX worker processes (a serious availability problem), and it was patched due to a new report. While there’s no known exploitation in the wild and no public exploit reported, attackers don’t need to have access to your system—only that your setup meets the risky configuration conditions. Treat it as something to fix during your next available maintenance window, sooner if your site is high-traffic or exposed to the public internet.

1. Check whether your NGINX uses proxy_http_version 2 or grpc_pass and whether ignore_invalid_headers is off.
2. Check your large_client_header_buffers setting—if it’s larger than 2 megabytes, plan to reduce it or update NGINX to a patched version.
3. Have your IT/NGINX maintainer update NGINX and verify the proxy/gRPC configuration still works as expected.