Alpine: multiple nginx packages: security update to 1.28.3-r0

high Tenable Self-Hosted Container Security Plugin ID 439254

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow
an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in
termination of the NGINX worker process or modification of source or destination file names outside the
document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV
module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias
directives. The integrity impact is constrained because the NGINX worker process user has low privileges
and does not have access to the entire system. Note: Software versions which have reached End of Technical
Support (EoTS) are not evaluated. (CVE-2026-27654)

- When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed
requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP
authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait
response header. Note: Software versions which have reached End of Technical Support (EoTS) are not
evaluated. (CVE-2026-27651)

- The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module,
which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination,
using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with
the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the
attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the
ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are
not evaluated. (CVE-2026-27784)

- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the
improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to
inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note:
Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-28753)

Solution

Update the nginx library and its related packages to version 1.28.3-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-27651

https://security.alpinelinux.org/vuln/CVE-2026-27654

https://security.alpinelinux.org/vuln/CVE-2026-27784

https://security.alpinelinux.org/vuln/CVE-2026-28753

https://security.alpinelinux.org/vuln/CVE-2026-28755

https://security.alpinelinux.org/vuln/CVE-2026-32647

Plugin Details

Severity: High

ID: 439254

Version: Revision 1.6

Type: Local

Published: 3/26/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2026-27654

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-28755

CVSS v4

Risk Factor: High

Base Score: 8.8

Threat Score: 7.8

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/24/2026

Reference Information

CVE: CVE-2026-27651, CVE-2026-27654, CVE-2026-27784, CVE-2026-28753, CVE-2026-28755, CVE-2026-32647