Critical: kusanagi-nginx130 Security Update

Synopsis

Issued 2026-07-16
Severity Critical
Updated Packages kusanagi-nginx130
Affected Products Business Edition, KUSANAGI 9, Security Edition

Description

An update for kusanagi-nginx130 is now available.

Security fix(es):

  • Security: heap buffer overflow might occur in a worker process when using the map directive with regex matching if the map variable was included in a string expression after a capture affected by this map; a similar issue might happen when using a non-cacheable variable in a string expression (CVE-2026-42533). Thanks to Mufeed VH of Winfunc Research and Maxim Dounin.
  • Security: uninitialized memory access might occur when using unnamed regex captures with the "slice" directive or background cache update, which could result in worker process memory disclosure or worker process termination (CVE-2026-60005).
  • Security: use-after-free might occur when processing a specially crafted proxied backend response with the ngx_http_ssi_filter_module (CVE-2026-56434). Thanks to P4P3R-HAK.

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE information may not yet be available on those websites.

References

Updated packages listed below

This product uses the NVD API but is not endorsed or certified by the NVD.