nginx exploit for versions 0.6.27 – 1.30.0:
exploit for CVE-2026-42945
fixed in 1.31.0, 1.30.1
will hestiacp get its nginx auto updated?
apparently there is protection if ASLR is enabled (which it normally is) but that could be broken in the near future.
cat /proc/sys/kernel/randomize_va_space should return a 2 if ASLR is enabled on your system.
yunli
May 14, 2026, 8:32pm
2
Don’t panic, young one. First, this file needs to successfully reach your server before any of the subsequent events can occur. Let’s just wait patiently for the official update package to be released!
yunli:
Don’t panic,
Yes, there is no need to panic but…
No, the PoC is remote and unauthenticated . The difference lies in whether you achieve DoS (almost always) or full RCE (depends on ASLR and the exact server configuration). Also, to exploit the vulnerability you need a rewrite with unnamed captures, and Hestia doesn’t use rewrite in its configuration .
That said, the risk is minimal in the current version of Hestia, but Hestia should still be updated. I’ve created this PR.
main ← sahsanu:bump-hestia-nginx-version-1.30.1
opened 09:05PM - 14 May 26 UTC
Nginx 1.30.x is the new stable version and version **1.30.1** fixes a few critic… al security fixes.
**Changes with nginx 1.30.1 - 13 May 2026**
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker
to cause a disclosure of worker process memory or segmentation fault
in a worker process (CVE-2026-42946).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially sent response with decoding from
UTF-8 via the "charset_map" directive, allowing an attacker to cause
a limited disclosure of worker proccess memory or segmentation fault
in a worker process (CVE-2026-42934).
Thanks to David Carlier.
*) Security: when using HTTP/3, processing of connection migration might
cause new QUIC streams to receive a new client address before
validation, allowing an attacker to cause address spoofing
(CVE-2026-40460).
Thanks to Rodrigo Laneth.
*) Security: use-after-free might occur during DNS server response
processing if the "ssl_ocsp" directive was used, allowing an attacker
to cause worker process memory corruption or segmentation fault in a
worker process (CVE-2026-40701).
Thanks to Leo Lin.
*) Bugfix: connections with HTTP/2 backends might not be cached when
using the "proxy_set_body" or "proxy_pass_request_body" directives.
*) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
transferred incorrectly if the first line was not fully read.
nu01
May 15, 2026, 5:32pm
4
Meanwhile, not completely off the hook people, you can check the vul updates via: CVE-2026-42945
Keep in mind that Hestia doesn’t use either Debian or Ubuntu packages to install Nginx.
yunli
May 15, 2026, 6:48pm
6
HestiaCP has its own configured nginx program named hestia-nginx.
nu01
May 17, 2026, 10:26am
7
Yup, am aware of that. I am just sharing info.