[USN-8210-1] nginx vulnerabilities

Mon, 27 Apr 2026 06:39:10 -0700 

==========================================================================
Ubuntu Security Notice USN-8210-1
April 27, 2026

nginx vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in nginx.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

It was discovered that the nginx ngx_mail_auth_http_module module
incorrectly handled certain requests. An attacker could possibly use this
issue to cause nginx to crash, resulting in a denial of service.
(CVE-2026-27651)

It was discovered that the nginx ngx_http_dav_module module incorrectly
handled certain destination URIs. An attacker could use this issue to cause
nginx to crash, resulting in a denial of service, or possibly modify source
or destination names outside of the document root. (CVE-2026-27654)

It was discovered that the nginx ngx_http_mp4_module module incorrectly
handled certain MP4 files. An attacker could use this issue to cause nginx
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2026-27784, CVE-2026-32647)

It was discovered that the nginx ngx_mail_smtp_module module incorrectly
handled certain CRLF sequences. An attacker could possibly use this issue
to inject arbitrary SMTP headers. (CVE-2026-28753)

It was discovered that the nginx ngx_stream_ssl_module module incorrectly
handled revoked certificates. This could result in successful TLS
handshakes even after an OCSP check identifies a certificate as revoked,
contrary to expectations. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 25.10. (CVE-2026-28755)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  nginx                           1.28.0-6ubuntu1.2
  nginx-core                      1.28.0-6ubuntu1.2
  nginx-extras                    1.28.0-6ubuntu1.2
  nginx-full                      1.28.0-6ubuntu1.2
  nginx-light                     1.28.0-6ubuntu1.2

Ubuntu 24.04 LTS
  nginx                           1.24.0-2ubuntu7.7
  nginx-core                      1.24.0-2ubuntu7.7
  nginx-extras                    1.24.0-2ubuntu7.7
  nginx-full                      1.24.0-2ubuntu7.7
  nginx-light                     1.24.0-2ubuntu7.7

Ubuntu 22.04 LTS
  nginx                           1.18.0-6ubuntu14.10
  nginx-core                      1.18.0-6ubuntu14.10
  nginx-extras                    1.18.0-6ubuntu14.10
  nginx-full                      1.18.0-6ubuntu14.10
  nginx-light                     1.18.0-6ubuntu14.10

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8210-1
  CVE-2026-27651, CVE-2026-27654, CVE-2026-27784, CVE-2026-28753,
  CVE-2026-28755, CVE-2026-32647

Package Information:
  https://launchpad.net/ubuntu/+source/nginx/1.28.0-6ubuntu1.2
  https://launchpad.net/ubuntu/+source/nginx/1.24.0-2ubuntu7.7
  https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.10

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to