ELSA-2026-38847

ELSA-2026-38847 - nginx:1.24 security, bug fix, and enhancement update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-14

Description


[1.24.0-3.0.1.3]
- Remove Red Hat references [Orabug: 29498217]

[1:1.24.0-3.3]
- Resolves: RHEL-191779 - nginx: 'HTTP/2 bomb' nginx fix breaks module ABI
causing crashes
- Resolves: RHEL-188406 - nginx: NGINX: Arbitrary code execution or.
Denial of Service via heap-based buffer overflow with crafted HTTP/2
headers (CVE-2026-42055)

[1:1.24.0-3.2]
- Resolves: RHEL-178676 - nginx:1.24/nginx: code execution and denial
of service (CVE-2026-9256)
- Resolves: RHEL-182543 - nginx: HTTP/2: Remote Denial of Service via
compression bomb and Slowloris-style attack

[1:1.24.0-3.1]
- Resolves: RHEL-176224 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution
Vulnerability (CVE-2026-42945)

[1:1.24.0-3]
- Resolves: RHEL-157877 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
Service or Code Execution via specially crafted MP4 files
- Resolves: RHEL-159436 CVE-2026-27651 nginx:1.24/nginx: NGINX: Denial of
Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-159549 CVE-2026-27654 nginx:1.24/nginx: NGINX: Denial of
Service or file modification via buffer overflow in ngx_http_dav_module
- Resolves: RHEL-159528 CVE-2026-27784 nginx:1.24/nginx: NGINX: Denial of
Service due to memory corruption via crafted MP4 file

[1:1.24.0-2]
- Resolves: RHEL-146517 - nginx:1.24/nginx: NGINX: Data injection via
man-in-the-middle attack on TLS proxied connections (CVE-2026-1642)

[1:1.24.0-1]
- Resolves: RHEL-14714 - add nginx:1.24 to RHEL 8.10

[1:1.22.1-2]
- Resolves: RHEL-12728 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web
servers are vulnerable to a DDoS attack (Rapid Reset Attack)(CVE-2023-44487)

[1:1.22.1-1]
- Resolves: #2112345 - nginx:1.22 for RHEL 8
- add stream_geoip_module and stream_realip_module
- remove obsolete --with-ipv6

[1:1.20.1-1]
- rebase to 1.20.1 (addressing CVE-2021-23017)


Related CVEs


CVE-2026-42055

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 8 (aarch64) nginx-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.src.rpm8cb734fe0d4eac9e7f477061e395309d574f308d80c4d56746d18bbf0c3aa092-ol8_aarch64_appstream
nginx-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm5b9d97eac23c7450d1a055a6a13af3cacfc3b80692434bbf945aca36413e0c4e-ol8_aarch64_appstream
nginx-all-modules-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.noarch.rpmc5aa1b3e6471a6c6634079c38af9f75d193385d192196020a2714f4677dace6e-ol8_aarch64_appstream
nginx-filesystem-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.noarch.rpm4ffeeebe4f557f32e1ddec349bd89db07516c7ffd125ab175e1ed0adf3b8408c-ol8_aarch64_appstream
nginx-mod-devel-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm118d09f29de744fbf47e7e72296e23a4390c0e0b19f8f42281857d137b832f61-ol8_aarch64_appstream
nginx-mod-http-image-filter-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm7e355322e699aee29c6baa91beeb9d85185f50991438c3bdf892fe5b6cc20ac0-ol8_aarch64_appstream
nginx-mod-http-perl-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm04ef79c06dabd15371d0b282da08b55dcbb9a251a20baa033f501e8000c38ac7-ol8_aarch64_appstream
nginx-mod-http-xslt-filter-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm8dfd4199aac3b4c9cbd390ffe7a2f749b400081ecf2bfd235a6ac149934dbbc4-ol8_aarch64_appstream
nginx-mod-mail-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpmc850787a0824535bbc304c0994599d4c2a93ae716ee7b4396864cb0d757cf197-ol8_aarch64_appstream
nginx-mod-stream-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.aarch64.rpm49884d6dcc6ab299270ea6dbcddad689d643441a789f84108cd6055939b93080-ol8_aarch64_appstream
Oracle Linux 8 (x86_64) nginx-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.src.rpm8cb734fe0d4eac9e7f477061e395309d574f308d80c4d56746d18bbf0c3aa092-ol8_x86_64_appstream
nginx-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm8d25bcbbe76dd72be2fff39335514c355a64dfed6f4ea7ae1b1b4a43ac5ab4f4-ol8_x86_64_appstream
nginx-all-modules-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.noarch.rpmc5aa1b3e6471a6c6634079c38af9f75d193385d192196020a2714f4677dace6e-ol8_x86_64_appstream
nginx-filesystem-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.noarch.rpm4ffeeebe4f557f32e1ddec349bd89db07516c7ffd125ab175e1ed0adf3b8408c-ol8_x86_64_appstream
nginx-mod-devel-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm084f4351f7d4441d6bb1101dff7455aeff55b53e63c74eeef1d96aa4827b58d0-ol8_x86_64_appstream
nginx-mod-http-image-filter-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm5c7ecf47dd1b04a4e725608d7e7e59ae4a7ff52e061b8972412dcb898558b6d1-ol8_x86_64_appstream
nginx-mod-http-perl-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm99b9d5dafa4ea41c92334729a6159ec28b385474fc6e24959432013e1bc1f20e-ol8_x86_64_appstream
nginx-mod-http-xslt-filter-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpmbc57b4cefce8d67b685de1b55b40e5b42f48d229e077eace5355c0648180412d-ol8_x86_64_appstream
nginx-mod-mail-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm3669b11da5bd0b9e8e1e39d662f8539d00c99259d2322086306063a72eeff51c-ol8_x86_64_appstream
nginx-mod-stream-1.24.0-3.0.1.module+el8.10.0+90952+25c71254.3.x86_64.rpm1bfe3dd748071214b59c5e74ec3becc9b1c0a7cfc29d96eebe6dcd84aa69e026-ol8_x86_64_appstream



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete