ELSA-2026-36331

ELSA-2026-36331 - nginx security, bug fix, and enhancement update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-13

Description


[1.20.1-28.0.1.el9_8.4]
- Reference oracle-indexhtml within Requires [Orabug: 33802044]
- Remove Red Hat references [Orabug: 29498217]
- Update upstream references [Orabug: 36579090]

[2:1.20.1-28.4]
- Resolves: RHEL-190800 - nginx: 'HTTP/2 bomb' nginx fix breaks module ABI
causing crashes
- Resolves: RHEL-188418 - nginx: NGINX: Arbitrary code execution or
Denial of Service via heap-based buffer overflow with crafted HTTP/2
headers (CVE-2026-42055)

[2:1.20.1-28.3]
- Resolves: RHEL-178684 - nginx: code execution and denial of
service (CVE-2026-9256)
- Resolves: RHEL-182553 - nginx: HTTP/2: Remote Denial of Service via
compression bomb and Slowloris-style attack

[2:1.20.1-28.2]
- Resolves: RHEL-176232 - nginx: NGINX: Arbitrary Code Execution
Vulnerability (CVE-2026-42945)

[2:1.20.1-28.1]
- RHEL-159560 CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module
- RHEL-159539 CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file
- RHEL-159447 CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- RHEL-157888 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files


Related CVEs


CVE-2026-42055

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 9 (aarch64) nginx-1.20.1-28.0.1.el9_8.4.src.rpm74e319a48d803d1b5b17db5e322c6064007818018b0d66dc38ead91d71d3fa61-ol9_aarch64_appstream
nginx-1.20.1-28.0.1.el9_8.4.src.rpm74e319a48d803d1b5b17db5e322c6064007818018b0d66dc38ead91d71d3fa61-ol9_aarch64_codeready_builder
nginx-1.20.1-28.0.1.el9_8.4.aarch64.rpm94cbac20ff73ccf0a44b45e4960c315f67681bddc48214eb59d6789ea6d77080-ol9_aarch64_appstream
nginx-all-modules-1.20.1-28.0.1.el9_8.4.noarch.rpm36f41b61f952843f9b930a8e0b363ac47942bd0b44ae4acaa2b32c0c17804a52-ol9_aarch64_appstream
nginx-core-1.20.1-28.0.1.el9_8.4.aarch64.rpm553ebcef32014911c9fc5e0987e7252718d44858082b40233dcbb5299c0be3e6-ol9_aarch64_appstream
nginx-filesystem-1.20.1-28.0.1.el9_8.4.noarch.rpm6bdcab14b8a7a19b9b8f5489bc523f1daea09a802fc2211f19612ef91c5dfa3f-ol9_aarch64_appstream
nginx-mod-devel-1.20.1-28.0.1.el9_8.4.aarch64.rpm8c4ce3eb7c9551efe836cd76d9831989b6a5b685acc1783249dd65b9ebffa2e9-ol9_aarch64_codeready_builder
nginx-mod-http-image-filter-1.20.1-28.0.1.el9_8.4.aarch64.rpm75891b23937d2fa05ff309cb93bcd617139c7f79f4e87260c6010af2f2704958-ol9_aarch64_appstream
nginx-mod-http-perl-1.20.1-28.0.1.el9_8.4.aarch64.rpmaac11dfc53adaccab6c41f73187c66112f91c27c8d434fb2ce88c50cd21716ac-ol9_aarch64_appstream
nginx-mod-http-xslt-filter-1.20.1-28.0.1.el9_8.4.aarch64.rpm9a181b87a25e8b793586c50f45dc23bbc6bc51737cb8dc2903af82f58e796fc3-ol9_aarch64_appstream
nginx-mod-mail-1.20.1-28.0.1.el9_8.4.aarch64.rpmaafd5354ff2f944effd7de0bb3323fceb80bc39a292245496df61ab4adf3df6e-ol9_aarch64_appstream
nginx-mod-stream-1.20.1-28.0.1.el9_8.4.aarch64.rpm028f4eb88484e5a21e2ada480be94c1c852643e5aa9883e68f449d9a3325c25d-ol9_aarch64_appstream
Oracle Linux 9 (x86_64) nginx-1.20.1-28.0.1.el9_8.4.src.rpm74e319a48d803d1b5b17db5e322c6064007818018b0d66dc38ead91d71d3fa61-ol9_x86_64_appstream
nginx-1.20.1-28.0.1.el9_8.4.src.rpm74e319a48d803d1b5b17db5e322c6064007818018b0d66dc38ead91d71d3fa61-ol9_x86_64_codeready_builder
nginx-1.20.1-28.0.1.el9_8.4.x86_64.rpm620dd2f9f9aef77b354af0b3009e67f6f5c1d293acc531d4eeeb24e019f82a75-ol9_x86_64_appstream
nginx-all-modules-1.20.1-28.0.1.el9_8.4.noarch.rpm36f41b61f952843f9b930a8e0b363ac47942bd0b44ae4acaa2b32c0c17804a52-ol9_x86_64_appstream
nginx-core-1.20.1-28.0.1.el9_8.4.x86_64.rpmcc38f2382e698bd5b8f5892a7e069864f0768ef5891ae6720dda9c36a64e2ead-ol9_x86_64_appstream
nginx-filesystem-1.20.1-28.0.1.el9_8.4.noarch.rpm6bdcab14b8a7a19b9b8f5489bc523f1daea09a802fc2211f19612ef91c5dfa3f-ol9_x86_64_appstream
nginx-mod-devel-1.20.1-28.0.1.el9_8.4.x86_64.rpm35363a92c0eaec80a425013ea8c6bafd2873226e8ecfb9b911a35f953a616926-ol9_x86_64_codeready_builder
nginx-mod-http-image-filter-1.20.1-28.0.1.el9_8.4.x86_64.rpm65c2941064f8b919385ff9c8a25116f2cff964a0239d987148a7c76e4a63924b-ol9_x86_64_appstream
nginx-mod-http-perl-1.20.1-28.0.1.el9_8.4.x86_64.rpm301a1bf6360d7855c8493fd694f1cbc7b7e0f960fb2f8c8a53e59a0ade0feb3b-ol9_x86_64_appstream
nginx-mod-http-xslt-filter-1.20.1-28.0.1.el9_8.4.x86_64.rpm027fc7fa246eaeb5ab8a3cb42bf22166f7d0f6e68511075b62bab66c58650efd-ol9_x86_64_appstream
nginx-mod-mail-1.20.1-28.0.1.el9_8.4.x86_64.rpm67aaad1c90965cad430c0e15c55f9fb2b3cda136c174b2a5195480260bb0fdf2-ol9_x86_64_appstream
nginx-mod-stream-1.20.1-28.0.1.el9_8.4.x86_64.rpm4cec059f6d637e71768fb749484de9934c62f50a72e0bdf9c50b7ac393d0c026-ol9_x86_64_appstream



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete