Alpine: multiple nginx packages: security update to 1.28.3-r1

critical Tenable Self-Hosted Container Security Plugin ID 441847

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able
to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note:
Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-40460)

- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the
ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the
leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a heap-use-after-free error in the
NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker
process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not
evaluated. (CVE-2026-40701)

- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset,
source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured,
unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a
heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
(CVE-2026-42934)

- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This
vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an
unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control
can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in
the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with
Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software
versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42945)

- A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in
excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an
unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream
server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions
which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42946)

Solution

Update the nginx library and its related packages to version 1.28.3-r1 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-40460

https://security.alpinelinux.org/vuln/CVE-2026-40701

https://security.alpinelinux.org/vuln/CVE-2026-42934

https://security.alpinelinux.org/vuln/CVE-2026-42945

https://security.alpinelinux.org/vuln/CVE-2026-42946

Plugin Details

Severity: Critical

ID: 441847

Version: Revision 1.8

Type: Local

Published: 5/14/2026

Updated: 6/22/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

Percentile: 99.76

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2026-42946

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2026-42945

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 8.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2026-42945

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/13/2026

Exploitable With

Core Impact

Reference Information

CVE: CVE-2026-40460, CVE-2026-40701, CVE-2026-42934, CVE-2026-42945, CVE-2026-42946