Critical: kusanagi-nginx131 Security Update

Security Advisory

Synopsis

Issued 2026-05-18
Severity Critical
Updated Packages kusanagi-nginx131
Affected Products Business Edition, KUSANAGI 9, Security Edition

Description

An update for kusanagi-nginx131 is now available.

Security fix(es):

  • Security: when using the "proxy_set_body" directive, an attacker might inject data in the proxied request to an HTTP/2 backend (CVE-2026-42926). Thanks to Mufeed VH of Winfunc Research.
  • Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_rewrite_module, potentially resulting in arbitrary code execution (CVE-2026-42945). Thanks to Leo Lin.
  • Security: a heap memory buffer overread might occur in a worker process while handling a specially crafted response by ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42946). Thanks to Leo Lin.
  • Security: a heap memory buffer overread might occur in a worker process while handling a specially sent response with decoding from UTF-8 via the "charset_map" directive, allowing an attacker to cause a limited disclosure of worker proccess memory or segmentation fault in a worker process (CVE-2026-42934). Thanks to David Carlier.
  • Security: when using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing (CVE-2026-40460). Thanks to Rodrigo Laneth.
  • Security: use-after-free might occur during DNS server response processing if the "ssl_ocsp" directive was used, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process (CVE-2026-40701). Thanks to Leo Lin.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.

References

Updated packages listed below

This product uses the NVD API but is not endorsed or certified by the NVD.

kusanagi-nginx131 Module Update 1.31.0-1

Share:

KUSANAGI Open Source Licenses | KUSANAGI Business Edition, Premium Edition, Security Edition End-User License Agreement

KUSANAGI Logo and Mascots | Privacy Policy | Vulnerability Disclosure Policy | Contact US

© 2015 - 2026 GMO Prime Strategy Co., Ltd. All rights reserved