Synopsis
| Issued | 2026-06-18 |
| Severity | Awaiting Analysis |
| Updated Packages | kusanagi-nginx130 |
| Affected Products | Business Edition, KUSANAGI 9, Security Edition |
Description
An update for kusanagi-nginx130 is now available.
Security fix(es):
- Security: a heap memory buffer overflow might occur in a worker process when using a configuration with "ignore_invalid_headers off;" and "large_client_header_buffers" with large configured values when proxying a specially crafted request to HTTP/2 or gRPC backend, allowing an attacker to cause worker process memory corruption or segmentation fault in a worker process (CVE-2026-42055). Thanks to Mufeed VH of Winfunc Research.
- Security: a heap memory buffer overread might occur in a worker process while handling a specially sent response with decoding from UTF-8 via the "charset_map" directive, allowing an attacker to cause a limited disclosure of worker proccess memory or segmentation fault in a worker process (CVE-2026-48142). Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.
