● Medium · CVSS 4.8

How to Fix CVE-2026-42934: Out-of-Bounds Read in NGINX Plus

Q: Is CVE-2026-42934 being exploited in the wild?

Public exploitation has not been confirmed by CISA at the time of writing. Treat the patch as time-sensitive anyway; reports often lag actual abuse.

Q: Will a WAF or IDS rule fully mitigate CVE-2026-42934?

No. Network-layer filters can reduce noise and slow opportunistic scanners, but they will not stop a determined attacker. The vendor patch is the only durable fix.

Q: How long should I plan for the upgrade?

Typical vendor-documented upgrade windows for NGINX Plus run from a few minutes to under an hour depending on cluster size. Test in a staging environment first and follow the vendor's documented HA upgrade order.

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2026-28755: Access Control Bypass in NGINX Open Source — Access Control Bypass in NGINX Open Source
How to Fix CVE-2026-34403: Cwe-1385: missing origin validation in websockets in nginx-ui — Cwe-1385: missing origin validation in websockets in nginx-ui
How to Fix CVE-2026-40460: Authentication Bypass in NGINX Plus , Authentication Bypass in NGINX Plus
How to Fix CVE-2026-33027: Path Traversal in nginx-ui , Path Traversal in nginx-ui
How to Fix CVE-2026-33028: Critical Vulnerability in nginx-ui , Critical Vulnerability in nginx-ui

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 4.8 - Medium
Actively exploited?	Not currently listed in CISA KEV
Affected	R36 < R36 P4, R32 < R32 P6, 0.3.50 < 1.30.1
Fixed in	R37, 1.31.0
Type (CWE)	CWE-125: Out-of-bounds Read

What is CVE-2026-42934?

CVE-2026-42934 is an out-of-bounds read in NGINX Plus. A malformed input causes the product to read memory past the intended buffer boundary, which leaks adjacent process memory and in some cases crashes the service. Vendor description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.

Why this CVE matters

Out-of-bounds read flaws in a network-facing service produce information disclosure today and are routinely the first half of a two-bug chain that ends in code execution.

For deployments of NGINX Plus that have been exposed to the public internet during the disclosure window, the operating assumption should be that scanning has already happened. Even where exploitation has not been publicly observed, scanning for the vulnerable fingerprint is cheap and routine. Patching closes the door; log review and credential rotation close out the rest of the response.

Am I affected?

You are affected if your installation matches any of these version ranges:

NGINX Plus: R36 < R36 P4
NGINX Plus: R32 < R32 P6
NGINX Plus: 0.3.50 < 1.30.1

Check your installed version against the list above. If you cannot determine the version, treat the system as affected and follow the upgrade path below.

On BIG-IP, run tmsh show sys version from the CLI. The Active Version line is the value to compare against the advisory.

How to fix CVE-2026-42934

Read the vendor advisory in full: https://my.f5.com/manage/s/article/K000161028
Upgrade NGINX Plus to R37, 1.31.0 or a later version listed in the vendor advisory.
Back up the configuration (and database, where applicable) before upgrading.
Apply the patch in a maintenance window. For HA pairs, upgrade the standby node first, fail over, then upgrade the former primary.
Restart the affected service so the patched binary loads, then verify the new version (see verification section).

Upgrade f5 big-ip to the patched release


# CVE-2026-42934 affects NGINX Plus R36 < R36 P4. Fixed in R36 P4.
# Vendor advisory: https://my.f5.com/manage/s/article/K000161028

# 1. Confirm the running version.
tmsh show /sys version

# 2. Import and install the patched image.
tmsh install /sys software image BIGIP-R36 P4.iso volume HD1.2

# 3. After reboot, verify.
tmsh show /sys version

Verify the fix landed


# CVE-2026-42934 verification checklist.

# 1. Confirm the running version matches R36 P4 (replace the version probe with
#    the platform-specific command shown above).

# 2. Re-scan the host with your vulnerability scanner (Nessus, Qualys, Tenable,
#    OpenVAS, Wazuh). The scanner must no longer flag CVE-2026-42934.

# 3. Inspect recent service and kernel logs for crash-loops or rollback events.
journalctl -u <service-name> --since "10 minutes ago"
dmesg --since "10 minutes ago"

# 4. Cross-check the running build against the vendor advisory:
#    https://my.f5.com/manage/s/article/K000161028

If you cannot patch immediately

Block network reachability to the affected service from untrusted networks. The patched build is the only durable fix; memory-disclosure bugs cannot be fully neutralized at the network layer.

How to verify the fix worked

After applying the patch, verify the running version in the product's admin UI or via the vendor-documented CLI command.
Confirm the patched build matches the version listed in the vendor advisory.
Run an authenticated vulnerability scan with a current signature set and confirm the scanner no longer flags CVE-2026-42934.
Review logs for the entire pre-patch window for indicators of compromise listed in the vendor or CISA advisory.
Confirm any network-layer mitigations that were applied as a stopgap have been reverted (or left in place intentionally) once the patch is verified.

If your installation was internet-reachable during the disclosure window, treat log review as part of the remediation rather than an optional follow-up. Look for log entries that do not match your normal request patterns, especially repeated requests to the same uncommon endpoint, and any administrative changes you cannot tie back to a known operator.

Frequently asked questions

Is CVE-2026-42934 being exploited in the wild?