Cyber Resilience

CVE-2026-42946

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
16 June 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0093 56.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42946 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in F5 Nginx Ingress Controller. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream…

more

server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vuln enables direct memory read (T1005) or worker crash via crafted upstream responses (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

f5
dos
4.8.0
f5
nginx app protect dos
4.3.0 — 4.7.0
f5
nginx app protect waf
4.9.0 — 4.16.0 · 5.1.0 — 5.8.0
f5
nginx gateway fabric
1.3.0 — 1.6.2 · 2.0.0 — 2.6.0
f5
nginx ingress controller
3.5.0 — 3.7.2 · 4.0.0 — 4.0.1 · 5.0.0 — 5.4.2
f5
nginx instance manager
2.16.0 — 2.22.0
f5
nginx open source
0.8.42 — 0.9.7 · 1.0.0 — 1.30.0
f5
nginx plus
r32 — r36
f5
waf
5.9.0 — 5.12.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References