Medium

Use-after-free in NGINX ngx_http_ssl_module OCSP resolver handling

IdentifiersCVE-2026-40701CWE-416· Use After Free

CVE-2026-40701 is a use-after-free vulnerability in NGINX Plus and NGINX Open Source within ngx_http_ssl_module. The issue is triggered in configurations where client certificate verification is enabled via ssl_verify_client set to "on" or "optional," and OCSP handling is enabled via ssl_ocsp set to "on" or where leaf parameters are configured with a resolver. Available supporting content indicates the flaw occurs in asynchronous OCSP DNS resolution handling: if a TLS connection closes before asynchronous OCSP DNS resolution completes, the associated context pool can be destroyed without cancelling the outstanding resolver request. Subsequent resolver processing can then dereference freed heap memory in the NGINX worker process, causing a heap use-after-free condition.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may cause the NGINX worker process to hit a heap use-after-free, leading to worker crash and restart. Vendor-linked descriptions also state the vulnerability may allow limited modification of data in the worker process. The available content does not provide evidence of full remote code execution; the documented impact is limited data modification and service instability through worker restarts.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling the vulnerable feature combination: avoid configurations where ssl_verify_client is set to "on" or "optional" together with ssl_ocsp enabled, or with OCSP leaf parameters configured to use a resolver. More generally, disable client-certificate OCSP validation paths that require asynchronous DNS resolution until patched. This is a temporary mitigation only.

Remediation

Patch, then assume compromise.

Upgrade to a fixed NGINX release. The provided content states fixes are included in NGINX Open Source 1.30.1 and 1.31.0. For NGINX Plus, apply the vendor-provided patched release corresponding to the advisory and supported branch. Restart affected services after upgrading so patched worker processes are running.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Nginxapplication

F5Nginx Plusapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

cyberthroneNews

May 17, 2026

CVE-2026-42945 - NGINX Heap Buffer Overflow RCE - TheCyberThrone

A medium-severity use-after-free vulnerability in NGINX ngx_http_ssl_module involving asynchronous OCSP DNS resolution after TLS connection closure.

security affairsNews

May 14, 2026

NGINX Rift: an 18-year-old flaw in the world's most deployed web server just came to light

A use-after-free vulnerability in NGINX ngx_http_ssl_module that may allow limited data modification or worker restart when specific client verification and OCSP settings are enabled.

the hacker newsNews

May 14, 2026

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

A use-after-free vulnerability in NGINX ngx_http_ssl_module that can permit limited data modification or worker process restart when specific SSL client verification and OCSP settings are enabled.

bleeping computerNews

May 14, 2026

18-year-old NGINX vulnerability allows DoS, potential RCE

A use-after-free vulnerability in NGINX asynchronous OCSP DNS resolution handling.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40701

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40701

MITRE CWE · CWE-416

Use After Free

my.f5.com

my.f5.com/manage/s/article/K000161021