External risk intelligence

NGINX HTTP/2 and gRPC Heap Buffer Overflow

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-42055

A heap-based buffer overflow in NGINX proxy modules may allow an attacker to cause a service restart or execute code under specific, complex conditions. This vulnerability affects NGINX when using certain proxy configurations for HTTP/2 or gRPC traffic with large client headers. Understanding the relevance and exposure

5Halo Surface Signal

Buffer Overflow

External exposure likelihood

Halo Surface Signal score for CVE-2026-42055

NGINX is a widely used, public-facing web server, reverse proxy, and API gateway. By design, these components operate at the network edge to handle incoming HTTP/2 and gRPC traffic from the internet, making this vulnerability directly exposed to remote, unauthenticated traffic in normal deployment scenarios.

PCI scan relevance

PCI Relevance for CVE-2026-42055

Yes

CVE-2026-42055 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in NGINX could allow an unauthenticated attacker to cause a heap-based buffer overflow, potentially leading to code execution. Its network attack vector and high impact make it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in NGINX proxy modules could allow an attacker to cause a denial of service or execute code under specific, complex conditions. This issue arises when certain proxy configurations are enabled for HTTP/2 or gRPC traffic. While the direct impact requires specific environmental factors, the broad use of NGINX makes understanding potential relevance and exposure a priority.

  • NGINX has a flaw in specific proxy configurations.
  • It could allow code execution or denial of service.
  • Confirm relevance and exposure for this NGINX issue.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted, large HTTP headers to an NGINX server configured with specific directives. This could lead to a worker process crash, potentially allowing for code execution if certain system protections are disabled.

  • Entry condition: Network exposure, specific NGINX configuration.
  • Trigger point: Sending oversized headers in an upstream request.
  • Resulting risk: Process crash, potential code execution.

Live Threat

Current exploitation, exposure, and threat context

A heap-based buffer overflow could occur in the NGINX worker process when handling specific HTTP/2 or gRPC requests with large headers, potentially leading to a service restart or code execution if certain system configurations are met.

  • NGINX worker process and system memory.
  • Processing specially crafted large headers.
  • Service interruption or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Identifying affected NGINX deployments is the first critical step, likely falling under the responsibility of infrastructure or platform teams managing web services. The immediate focus should be on confirming the specific configurations that enable this vulnerability, such as the use of HTTP/2 or gRPC with specific directive settings, and assessing their exposure and criticality. Once confirmed, coordination with vendor management or application owners will be necessary to plan and implement appropriate remediation actions.

  • Infrastructure or platform teams likely own.
  • Verify HTTP/2, gRPC, and directive configurations.
  • Plan remediation based on exposure and criticality.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is NGINX and why is it used?

NGINX is a versatile software platform acting as a high-performance web server, reverse proxy, and API gateway. It sits between clients and backend applications, managing incoming web traffic, load balancing, and providing security layers. Because of its efficiency and speed, it is frequently deployed at the network edge to handle HTTP and gRPC traffic, making it a foundational component for routing requests across modern internet-facing infrastructures and internal service meshes.

What is the vulnerability in CVE-2026-42055?

This vulnerability is a heap-based buffer overflow, classified as CWE-122. It occurs when the software incorrectly manages memory while processing complex HTTP/2 or gRPC headers. In plain terms, if the system receives header data that exceeds the memory space allocated for it, the process can become unstable. This instability can force the NGINX worker process to crash, causing a service interruption, or, under specific system conditions, potentially allow an attacker to run unauthorized code.

How can an attacker trigger this buffer overflow?

The vulnerability requires a very specific combination of settings: proxying HTTP/2 or gRPC traffic, explicitly disabling the ignore_invalid_headers directive, and configuring large_client_header_buffers to exceed 2 megabytes. If these exact conditions are not met, the memory error does not occur. An attacker must also be able to send specially crafted, oversized headers during an upstream request, meaning standard traffic that does not use these specific configurations will not trigger the bug.

Is my infrastructure at risk according to Halo Surface Signal?

Halo Surface Signal indicates this issue is very likely to be relevant because NGINX is commonly deployed in public-facing roles to process external HTTP/2 and gRPC requests. Because the software is designed to operate at the network edge, any server exposed to the internet with the mentioned configurations is directly reachable by unauthenticated, remote actors. You should prioritize assessing systems that interface directly with untrusted network traffic for these specific proxy settings.

What should I do if I run NGINX?

Start by auditing your configuration files to determine if you are using HTTP/2 or gRPC proxying alongside the identified directive settings. Do not assume all instances are vulnerable; focus your review on identifying the specific combinations of ignore_invalid_headers and large_client_header_buffers mentioned. Once you map these configurations, work with your infrastructure or platform teams to prioritize remediation for any systems exposed to external, untrusted network traffic.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished