Skip to content

nginx: patch CVE-2026-42945 and related CVEs via overlay#343

Merged
oliver-ni merged 1 commit into
mainfrom
devin/1778832236-nginx-cve-patches
May 15, 2026
Merged

nginx: patch CVE-2026-42945 and related CVEs via overlay#343
oliver-ni merged 1 commit into
mainfrom
devin/1778832236-nginx-cve-patches

Conversation

@devin-ai-integration

Copy link
Copy Markdown
Contributor

Summary

Applies upstream nginx security patches via a nixpkgs overlay to address 5 CVEs disclosed on 2026-05-13, including the critical CVE-2026-42945 ("NGINX Rift") heap buffer overflow (CVSS v4 9.2).

The nixos-25.11 channel is stuck on an April 30 build and hasn't advanced in over two weeks, so the fix merged into release-25.11 via nixpkgs#520076 is not yet available through normal channel updates. This overlay applies the same upstream patches directly to pkgs.nginx until the channel catches up.

CVEs patched:

CVE Description
CVE-2026-40460 HTTP/3 address spoofing
CVE-2026-40701 Use-after-free in OCSP resolver
CVE-2026-42934 Buffer overread in charset module
CVE-2026-42945 Heap buffer overflow in rewrite module (NGINX Rift, CVSS 9.2)
CVE-2026-42946 Buffer overread in scgi/uwsgi modules

Affected hosts: scootaloo (matrix), spike (niks3-cache), amethyst (webhost), termites & anglerfish (jukebox)

Note: While none of our nginx configs currently contain the specific rewrite pattern that triggers CVE-2026-42945, patching is still important as a defense-in-depth measure and to address the other CVEs. This overlay should be removed once flake.lock points to a nixpkgs with nginx >= 1.30.1.

Review & Testing Checklist for Human

  • Verify the overlay builds correctly: nix build .#nixosConfigurations.amethyst.config.system.build.toplevel (or any host running nginx)
  • Confirm the patched nginx binary includes the fixes: check nginx -V output on a test deploy
  • After the nixos-25.11 channel advances past the fix, remove this overlay from flake.nix to avoid patch conflicts

Notes

Patch hashes are taken directly from nixpkgs#520076 which was reviewed by NixOS security team and merged on May 14.

Link to Devin session: https://app.devin.ai/sessions/99413c6842484ce9a99d3cc881ca7b2d
Requested by: @oliver-ni

Apply upstream patches for the following CVEs disclosed 2026-05-13:
- CVE-2026-40460: HTTP/3 address spoofing
- CVE-2026-40701: use-after-free in OCSP resolver
- CVE-2026-42934: buffer overread in charset module
- CVE-2026-42945: heap buffer overflow in rewrite module (NGINX Rift)
- CVE-2026-42946: buffer overread in scgi/uwsgi modules

Patches are taken from the upstream nginx commits, matching what
nixpkgs#520076 applied to release-25.11. This overlay should be
removed once the nixos-25.11 channel advances past the fix.

Co-Authored-By: Oliver Ni <oliver.ni@gmail.com>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@oliver-ni
oliver-ni merged commit 74b3013 into main May 15, 2026
3 checks passed
@oliver-ni
oliver-ni deleted the devin/1778832236-nginx-cve-patches branch May 15, 2026 08:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant