Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian Nginx Critical Issues Bypass DoS Memory Disclosure DLA-4589-1

debian lts
Calendar Grey May 18, 2026
Dist Debian Esm H88
Explore critical security update on Debian's nginx addressing multiple vulnerabilities, impacting server performance and data integrity.
Multiple vulnerabilities were discoverd in Nginx, a high-performance web and reverse proxy server, which could result in bypass of authorisation rules or rate limits, denial of ser...

Summary

CVE-2025-53859

NGINX Open Source has a vulnerability in the ngx_mail_smtp_module that
might allow an unauthenticated attacker to over-read NGINX SMTP
authentication process memory; as a result, the server side may leak
arbitrary bytes sent in a request to the authentication server. This issue
happens during the NGINX SMTP authentication process and requires the
attacker to make preparations against the target system to extract the
leaked data. The issue affects NGINX only if (1) it is built with the
ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method
"none," and (3) the authentication server returns the "Auth-Wait" response
header.

CVE-2026-1642

A vulnerability exists in NGINX OSS when configured to proxy to upstream
Transport Layer Security (TLS) servers. An attacker with a
man-in-the-middle (MITM) position on the upstream server side—along with

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: nginx
Version: 1.18.0-6.1+deb11u6
CVE ID: CVE-2025-53859 CVE-2026-1642 CVE-2026-27651 CVE-2026-27654
Debian Bug: 1111138 1127053

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here