Security update for nginx

Announcement ID:	SUSE-SU-2026:2050-1
Release Date:	2026-05-25T13:58:45Z
Rating:	important
References:	bsc#1260415 bsc#1260420 bsc#1265229 bsc#1265231 bsc#1265232 bsc#1265233
Cross-References:	CVE-2026-27651 CVE-2026-32647 CVE-2026-40701 CVE-2026-42934 CVE-2026-42945 CVE-2026-42946
CVSS scores:	CVE-2026-27651 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2026-27651 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-27651 ( NVD ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-27651 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-32647 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2026-32647 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-32647 ( NVD ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-32647 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-40701 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-40701 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2026-40701 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-40701 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-42934 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-42934 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-42934 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-42934 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-42945 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2026-42945 ( SUSE ): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2026-42945 ( NVD ): 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-42945 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-42946 ( SUSE ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-42946 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L CVE-2026-42946 ( NVD ): 8.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-42946 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
Affected Products:	openSUSE Leap 15.6 Server Applications Module 15-SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP6 LTSS SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves six vulnerabilities can now be installed.

Description:

This update for nginx fixes the following issues

• CVE-2026-27651: denial of service via undisclosed requests when the ngx_mail_auth_http_module is enabled (bsc#1260415).
• CVE-2026-32647: NGINX worker memory over-read or over-write via a specially crafted MP4 file (bsc#1260420).
• CVE-2026-40701: heap use-after-free in the worker process when the ssl_verify_client and the ssl_ocsp directives are set due to issue in the ngx_http_ssl_module module (bsc#1265229).
• CVE-2026-42934: heap buffer overread in the worker process due to issue in the ngx_http_charset_module module (bsc#1265231).
• CVE-2026-42945: heap buffer overflow via crafted HTTP requests due to issue in ngx_http_rewrite_module (bsc#1265232).
• CVE-2026-42946: excessive memory allocation and data overread due to issue in the ngx_http_scgi_module and ngx_http_uwsgi_module modules (bsc#1265233).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.6
  zypper in -t patch SUSE-2026-2050=1
• Server Applications Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP7-2026-2050=1
• SUSE Linux Enterprise Server 15 SP6 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2050=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2050=1

Package List:

• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • nginx-debuginfo-1.21.5-150600.10.18.1
  • nginx-1.21.5-150600.10.18.1
  • nginx-debugsource-1.21.5-150600.10.18.1
• openSUSE Leap 15.6 (noarch)
  • nginx-source-1.21.5-150600.10.18.1
• Server Applications Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • nginx-debuginfo-1.21.5-150600.10.18.1
  • nginx-1.21.5-150600.10.18.1
  • nginx-debugsource-1.21.5-150600.10.18.1
• Server Applications Module 15-SP7 (noarch)
  • nginx-source-1.21.5-150600.10.18.1
• SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
  • nginx-debuginfo-1.21.5-150600.10.18.1
  • nginx-1.21.5-150600.10.18.1
  • nginx-debugsource-1.21.5-150600.10.18.1
• SUSE Linux Enterprise Server 15 SP6 LTSS (noarch)
  • nginx-source-1.21.5-150600.10.18.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
  • nginx-debuginfo-1.21.5-150600.10.18.1
  • nginx-1.21.5-150600.10.18.1
  • nginx-debugsource-1.21.5-150600.10.18.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch)
  • nginx-source-1.21.5-150600.10.18.1

References:

• https://www.suse.com/security/cve/CVE-2026-27651.html
• https://www.suse.com/security/cve/CVE-2026-32647.html
• https://www.suse.com/security/cve/CVE-2026-40701.html
• https://www.suse.com/security/cve/CVE-2026-42934.html
• https://www.suse.com/security/cve/CVE-2026-42945.html
• https://www.suse.com/security/cve/CVE-2026-42946.html
• https://bugzilla.suse.com/show_bug.cgi?id=1260415
• https://bugzilla.suse.com/show_bug.cgi?id=1260420
• https://bugzilla.suse.com/show_bug.cgi?id=1265229
• https://bugzilla.suse.com/show_bug.cgi?id=1265231
• https://bugzilla.suse.com/show_bug.cgi?id=1265232
• https://bugzilla.suse.com/show_bug.cgi?id=1265233