Skip to main content
Mallory
Back to vulnerabilities
Unrated

Heap Buffer Over-read in NGINX ngx_http_charset_module

IdentifiersCVE-2026-48142CWE-125

CVE-2026-48142 is a heap buffer over-read vulnerability in NGINX Open Source and NGINX Plus affecting ngx_http_charset_module. The issue is triggered when content is served or proxied through a location block configured with both "source_charset utf-8;" and a "charset" directive, and decoding occurs through the charset_map path. A remote, unauthenticated attacker can send requests that, together with application-controlled conditions outside the attacker’s direct control, cause NGINX to process a specially crafted UTF-8 response body and read past the end of a heap buffer in the worker process. The flaw is an over-read rather than an overflow, and the vulnerable behavior occurs during UTF-8 decoding and charset conversion in ngx_http_charset_module.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause limited disclosure of memory from the NGINX worker process and may also trigger a worker process restart, resulting in reduced service reliability or denial-of-service conditions. Available reporting characterizes the disclosure as limited, but such memory exposure could still aid exploit chaining, including ASLR bypass in broader attack scenarios.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, avoid configurations in which a location block simultaneously uses "source_charset utf-8;" and a "charset" directive for content served or proxied through ngx_http_charset_module, particularly where charset conversion relies on charset_map. Limit exposure of affected locations and review charset-related configuration to reduce reachable attack surface.

Remediation

Patch, then assume compromise.

Upgrade to a vendor-fixed release. The provided content indicates fixes were included in NGINX Open Source 1.31.2 and 1.30.3, and in NGINX Plus 37.0.2.1 and R36 P6. Systems on End of Technical Support releases are not evaluated and should be upgraded to supported versions. After upgrading, review charset-related configuration using ngx_http_charset_module to ensure it aligns with vendor guidance.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
F5Nginxapplication
F5Nginx Plusapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
thecybersecguruNews
Jun 19, 2026
CVE-2026-42530 & CVE-2026-42055: NGINX RCE Flaws Explained | The CyberSec Guru

A low-severity heap buffer over-read in NGINX charset conversion handling that can disclose limited worker process memory and could aid exploit chains by providing an information leak.

Read more
thecybersecguruNews
Jun 19, 2026
CVE-2026-42530 & CVE-2026-42055: NGINX RCE Flaws Explained | The CyberSec Guru

A low-severity heap buffer over-read in ngx_http_charset_module that can disclose limited worker process memory during crafted charset decoding.

Read more
cyber security newsNews
Jun 18, 2026
F5 Patches NGINX Vulnerability That Enables Code Execution and DoS Attacks

A medium-severity vulnerability in the NGINX ngx_http_charset_module that could impact application behavior or degrade service reliability.

Read more
opennet ruNews
Dec 25, 2025
���������� nginx 1.31.2 � ����������� �����������, ��������������� ����� HTTP/3, HTTP2 � gRPC

A medium-severity nginx vulnerability in ngx_http_charset_module involving specially crafted UTF-8 input and charset conversion handling.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48142
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48142
MITRE CWE · CWE-125
cwe.mitre.org