Critical Vulnerabilities Found in nginx Affecting openSUSE Leap 15.6

Critical Vulnerabilities Found in nginx Affecting openSUSE Leap 15.6

First seen 8 May 2026, 21:36 UTC Linuxsecurity 91% similarity 74.0

Article Content

Browse articles
ThreatCluster

A significant update for nginx has been released to address multiple vulnerabilities affecting openSUSE Leap 15.6. The vulnerabilities include CVE-2026-1642, a plaintext data injection flaw, CVE-2026-27654, a buffer overflow in the NGINX worker process, CVE-2026-27784, which allows memory overread or overwrite through a crafted MP4 file, and CVE-2026-28753, which enables arbitrary header injection via an attacker-controlled DNS server. These vulnerabilities could potentially allow attackers to exploit systems running nginx, leading to data breaches or service disruptions. Users are advised to apply the patches immediately using recommended installation methods. The vulnerabilities were published between February and March 2026, with the first public proof of concept for CVE-2026-27654 released on April 7, 2026. The affected systems include various architectures of openSUSE and SUSE Linux Enterprise Server.

Key Points: • Four critical vulnerabilities in nginx have been identified, affecting openSUSE Leap 15.6. • CVE-2026-27654 features a buffer overflow that can be exploited in the NGINX worker process. • Immediate patching is recommended to mitigate potential exploitation risks.

ThreatCluster AI

Timeline

2026-02-04
CVE-2026-1642 published
A plaintext data injection vulnerability was disclosed, allowing MITM attacks on nginx.
Linuxsecurity
2026-03-24
CVE-2026-27654 published
A buffer overflow vulnerability in nginx was published, affecting the worker process.
Linuxsecurity
2026-03-24
CVE-2026-27784 published
A memory overread vulnerability in nginx was disclosed, exploitable via crafted MP4 files.
Linuxsecurity
2026-03-24
CVE-2026-28753 published
Arbitrary header injection vulnerability was published, allowing exploitation via DNS servers.
Linuxsecurity
2026-04-07
First public PoC for CVE-2026-27654
A proof of concept was released for the buffer overflow vulnerability in nginx.
Linuxsecurity
2026-05-08
Patch released for nginx vulnerabilities
SUSE released an update addressing multiple critical vulnerabilities in nginx.
Linuxsecurity

Community

Browse all →