CVE-2026-40701

EUVD-2026-29981
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting.



 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
Affected Products (NVD)
VendorProductVersion
f5dos
4.3.0 ≤
𝑥
≤ 4.7.0
f5dos
4.8.0
f5nginx_gateway_fabric
1.3.0 ≤
𝑥
≤ 1.6.2
f5nginx_gateway_fabric
2.0.0 ≤
𝑥
≤ 2.6.0
f5nginx_ingress_controller
3.5.0 ≤
𝑥
≤ 3.7.2
f5nginx_ingress_controller
4.0.0 ≤
𝑥
≤ 4.0.1
f5nginx_ingress_controller
5.0.0 ≤
𝑥
≤ 5.4.2
f5nginx_instance_manager
2.16.0 ≤
𝑥
≤ 2.22.0
f5nginx_open_source
1.19.0 ≤
𝑥
≤ 1.30.0
f5nginx_plus
r32 ≤
𝑥
≤ r36
f5waf
4.9.0 ≤
𝑥
≤ 4.16.0
f5waf
5.1.0 ≤
𝑥
≤ 5.8.0
f5waf
5.9.0 ≤
𝑥
≤ 5.12.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nginx
bookworm
vulnerable
bookworm (security)
1.22.1-9+deb12u8
fixed
bullseye
vulnerable
bullseye (security)
1.18.0-6.1+deb11u7
fixed
forky
1.30.1-4
fixed
sid
1.30.1-5
fixed
trixie
vulnerable
trixie (security)
1.26.3-3+deb13u6
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nginx
suse enterprise sap 15 SP4
1.21.5-150400.3.20.1
fixed
suse enterprise sap 15 SP5
1.21.5-150400.3.20.1
fixed
suse enterprise sap 15 SP7
1.21.5-150600.10.18.1
fixed
suse enterprise server 15 SP4
1.21.5-150400.3.20.1
fixed
suse enterprise server 15 SP5
1.21.5-150400.3.20.1
fixed
suse enterprise server 15 SP6
1.21.5-150600.10.18.1
fixed
suse enterprise server 15 SP7
1.21.5-150600.10.18.1
fixed
nginx-source
suse enterprise sap 15 SP4
1.21.5-150400.3.20.1
fixed
suse enterprise sap 15 SP5
1.21.5-150400.3.20.1
fixed
suse enterprise sap 15 SP7
1.21.5-150600.10.18.1
fixed
suse enterprise server 15 SP4
1.21.5-150400.3.20.1
fixed
suse enterprise server 15 SP5
1.21.5-150400.3.20.1
fixed
suse enterprise server 15 SP6
1.21.5-150600.10.18.1
fixed
suse enterprise server 15 SP7
1.21.5-150600.10.18.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nginx
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-all-modules
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-core
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-core-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-debugsource
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-filesystem
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-devel
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-image-filter
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-image-filter-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-perl
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-perl-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-xslt-filter
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-http-xslt-filter-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-mail
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-mail-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-stream
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
nginx-mod-stream-debuginfo
Amazon Linux 2023
1:1.30.1-1.amzn2023.0.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
nginx
Azure Linux 3.0
0:1.28.3-2.azl3
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://my.f5.com/manage/s/article/K000161021