#1140361 nginx: CVE-2026-48142

Package:
src:nginx
Source:
src:nginx
Submitter:
Salvatore Bonaccorso
Date:
2026-06-24 20:37:05 UTC
Severity:
normal
Tags:
#1140361#5
Date:
2026-06-19 03:51:12 UTC
From:
To:
Hi,

The following vulnerability was published for nginx.

CVE-2026-48142[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_charset_module module. When content is served or proxied
| through a location block with both source_charset utf-8; and a
| charset directive (for example, charset koi8-r;) configured, remote,
| unauthenticated attackers can send requests (in conjunction with
| conditions beyond their control) to cause a heap buffer over-read in
| the NGINX worker process, leading to limited disclosure of memory or
| a restart.    Note: Software versions which have reached End of
| Technical Support (EoTS) are not evaluated.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-48142
https://www.cve.org/CVERecord?id=CVE-2026-48142
[1] https://my.f5.com/manage/s/article/K000161585
[2] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1140361#10
Date:
2026-06-24 20:35:50 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140361@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Mojžíš <janmojzis@debian.org> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 24 Jun 2026 19:29:57 +0000
Source: nginx
Architecture: source
Version: 1.30.1-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Jan Mojžíš <janmojzis@debian.org>
Closes: 1124757 1140361 1140605
Changes:
 nginx (1.30.1-6) unstable; urgency=medium
 .
   * d/p/fix-cache-line-size-for-loongarch64.patch add,
     backport loongarch64 detection and set cache line size 64
     (Closes: 1140605)
   * d/control: add `Suggests logrotate` for nginx-common (Closes: 1124757)
   * d/changelog: fix the 1.30.1-5 entry, which already closed bug #1140361
     (Closes: 1140361)
Checksums-Sha1:
 379867e41016146fc6d9f4e5e7ec4e0ca835df84 3803 nginx_1.30.1-6.dsc
 c587557aa93c83009f036a6c2eef0d50e78781e5 78572 nginx_1.30.1-6.debian.tar.xz
 f70703dc045d411a4825c663d52e256f07def524 3121372 nginx_1.30.1-6.git.tar.xz
 b2807788f9ff57c3c3f922147c89d66f116c906f 17484 nginx_1.30.1-6_source.buildinfo
Checksums-Sha256:
 cf842aefd9ac755c25fe6976cd329922c749b8daa747cf3a78e809805ca71180 3803 nginx_1.30.1-6.dsc
 e6b592a38c1dc3358e9230b6ec912d4663e12234ff951cb764531cb788dda69c 78572 nginx_1.30.1-6.debian.tar.xz
 2f43ef3dea7f9f44ad853b095c1a7dec134a98e1c9c77ac8b8489357e60debdb 3121372 nginx_1.30.1-6.git.tar.xz
 933b011b6624b3d2135b167da7c8b6e44c43f73c53d97ec4b279d2111fb9e914 17484 nginx_1.30.1-6_source.buildinfo
Files:
 f29a6e17511ce7b111af09808b14ba4f 3803 httpd optional nginx_1.30.1-6.dsc
 f9f2c90464a04d4caee0eee5dcf54b8f 78572 httpd optional nginx_1.30.1-6.debian.tar.xz
 fb0ccd397b78b542d12fac667c165634 3121372 httpd None nginx_1.30.1-6.git.tar.xz
 bafa2c7c338723bf5ebe39f5f815554b 17484 httpd optional nginx_1.30.1-6_source.buildinfo
Git-Tag-Info: tag=8f13e9810e558ec9b570bf61f59886ed4b11929f fp=d008b0c23d8479e46b9fcb9045da517496939ff9
Git-Tag-Tagger: Jan Mojžíš <jan.mojzis@gmail.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmo8NGYACgkQYG0ITkaD
wHlefRAAsRnfmYE05aUQSrtYrdy9EGxewjpRc4EFV+NovhVCiufygAzmEdm7yclL
hdABCAxdY5dO5Ob4fx2dOAR3VKwy0qrBKiSw5jSoVahD/LFUDvGii869QbKZaxuI
39/QI1/G1eaVjk4rBeQN1yz6of+HasK7B74IycKY9IqxyOq3wegsoxC0hNz5YVF9
CXaBLrLkFuq12mHXvkW2fmLMoFmXMKVSYTg9wBvCVn1iQs5HlK+Rd0jZisu118QO
9rR7ksUte8l0hkNE3lYppTO+V3gegMtU00JRZhP9MAe5qGZdNLnnAfOIINapzupm
iXjin67uo460vbe012GKFb77c0LRQtuoRNdGW0aXLgKGa28CqJcTnPVrhMDpUelI
nsVAJk/EqpDUjkfzrhhVtoZc0cont42mLd+11Onn2S71WXrYuil14nstYPSqm5fO
zSXX4+12vrwEhjjMkEfWqSdUksIWWp1Lacalym1T3ni1/XwGMQaf3+DFxvR4HUIW
s6pSoa4qGNmvwjPrWdAApSZNRTQqIJHsTIlDl75Ak8/lJKPySTZt/pbXpfyRmp+9
fcxNu7/CESV4YJESRSyyBYW821SEv2JLM+QUM4P+9owT5PmcgKM3R+W0tuaB9kQ8
sy0NRmy3jkfgJToN58WAnAyFz/8tD8Kuda5nwv5qR8ZEVMw4S0k=
=R91o
-----END PGP SIGNATURE-----