Security update for nginx

Announcement ID:	SUSE-SU-2026:1953-1
Release Date:	2026-05-18T07:53:53Z
Rating:	important
References:	bsc#1243502 bsc#1257675 bsc#1260416 bsc#1260417 bsc#1260418
Cross-References:	CVE-2026-1642 CVE-2026-27654 CVE-2026-27784 CVE-2026-28753
CVSS scores:	CVE-2026-1642 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVE-2026-1642 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-1642 ( NVD ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-1642 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2026-27654 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2026-27654 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2026-27654 ( NVD ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27654 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2026-27784 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-27784 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-27784 ( NVD ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27784 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-27784 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-28753 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-28753 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-28753 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-28753 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	openSUSE Leap 15.4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP5 LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for nginx fixes the following issues

Security issues:

• CVE-2026-1642: plain text data injection into the response from an upstream proxied server (bsc#1257675).
• CVE-2026-27654: buffer overflow in the NGINX worker process via the ngx_http_dav_module module (bsc#1260416).
• CVE-2026-27784: NGINX worker memory over-read or over-write via a specially crafted MP4 file (bsc#1260417).
• CVE-2026-28753: improper handling onf CRLF sequences in DNS responses allows for arbitrary header injection into SMTP upstream requests (bsc#1260418).

Non security issue:

• nginx always runs into "timed out. Killing" on shutdown when there are long-running processes (bsc#1243502).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1953=1
• SUSE Linux Enterprise Server 15 SP4 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1953=1
• SUSE Linux Enterprise Server 15 SP5 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1953=1
• openSUSE Leap 15.4
  zypper in -t patch SUSE-2026-1953=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1953=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1953=1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1953=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1953=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1953=1

Package List:

• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (aarch64 x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• openSUSE Leap 15.4 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (aarch64 x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
  • nginx-source-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
  • nginx-debugsource-1.21.5-150400.3.15.1
  • nginx-1.21.5-150400.3.15.1
  • nginx-debuginfo-1.21.5-150400.3.15.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
  • nginx-source-1.21.5-150400.3.15.1

References:

• https://www.suse.com/security/cve/CVE-2026-1642.html
• https://www.suse.com/security/cve/CVE-2026-27654.html
• https://www.suse.com/security/cve/CVE-2026-27784.html
• https://www.suse.com/security/cve/CVE-2026-28753.html
• https://bugzilla.suse.com/show_bug.cgi?id=1243502
• https://bugzilla.suse.com/show_bug.cgi?id=1257675
• https://bugzilla.suse.com/show_bug.cgi?id=1260416
• https://bugzilla.suse.com/show_bug.cgi?id=1260417
• https://bugzilla.suse.com/show_bug.cgi?id=1260418