This Red Hat security advisory addresses multiple high-severity vulnerabilities in the nginx:1.24 module for RHEL 9.6 EUS, including a buffer overflow in the `ngx_http_dav_module` and memory corruption from crafted MP4 files, which can lead to denial of service, code execution, or file modification. Based on authoritative NVD data, the underlying nginx open-source versions affected are 1.1.19 through 1.28.2 and 1.29.0 through 1.29.6, with fixes provided in versions 1.28.3 and 1.29.7. Red Hat has rated this update as Important and provides patched packages for the affected module.
Red Hat Product Errata RHSA-2026:15945 - Security Advisory Issued: 2026-05-11 Updated: 2026-05-11 RHSA-2026:15945 - Security Advisory Overview Updated Packages Synopsis Important: nginx:1.24 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for the nginx:1.24 module is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es): nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files (CVE-2026-32647) NGINX: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module (CVE-2026-27654) NGINX: NGINX: Denial of Service due to memory corruption via crafted MP4 file (CVE-2026-27784) NGINX: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled (CVE-2026-27651) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 Red Hat Enterprise Linux Server - AUS 9.6 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.6 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.6 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.6 s390x Fixes BZ - 2449598 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files BZ - 2450776 - CVE-2026-27654 NGINX: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module BZ - 2450785 - CVE-2026-27784 NGINX: NGINX: Denial of Service due to memory corruption via crafted MP4 file BZ - 2450791 - CVE-2026-27651 NGINX: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled CVEs CVE-2026-27651 CVE-2026-27654 CVE-2026-27784 CVE-2026-32647 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 SRPM nginx-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.src.rpm SHA-256: 4b9118988192c5b5bf5198eb36a16eea1a510f8f8902ab092793bc4bd01d2cb4 x86_64 nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 nginx-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 27c6397beeca9fe00a4f9ca118a7b3df17b5f7da64f6b00312d92a2c127e68ae nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-core-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 01735b3457e49b7dd6b78c1f8a33e1521a415ea97004b97b544e17bd9c0d94e5 nginx-core-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 3167d55fb5b6a2e609aa96d6cbf92ff7d004c9860ad267a4faf52db9ef312df9 nginx-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 99e359282b17b1fe8fff0298945b65d2bd1f5e47d6e503959af520b71945ec5c nginx-debugsource-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 9845edc2bcc20033d71c8e50a75eb6af4300c0913310adb775d4e8d3d819d96a nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 nginx-mod-devel-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 5711f68e3eab89d0c912a6cf041dcec4b830b502769adfc59a39bb5e710206b0 nginx-mod-http-image-filter-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 47ea9fc7b8145e0340be741bfbc3be2937b86e37083efd21f06f51dba78878bc nginx-mod-http-image-filter-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 4e9bf980816d29ea6f72afffad5110a3cf966a942662922ee2e4e74882505792 nginx-mod-http-perl-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 3b2256fb54dc75611bed7f838c46d60839f5b6756736498787daa7fb969b3acf nginx-mod-http-perl-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: bb2eb1cf51a0c14e2e1c3981cf3602d128084030fea94b3ec900f0fadc95e4ff nginx-mod-http-xslt-filter-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 0e1e762be0e87880826eec68c7345a2cae06c564b0d2f39fda620f86d6917964 nginx-mod-http-xslt-filter-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: dc0efb80e503d9d6b3636123103d60077ff703b189128dc0df3af26fb0d01a24 nginx-mod-mail-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: b1006de9c3f80daf5d0c5cb0e7ca90bdcaab422ddef69aaa1e3ba23d5b78c338 nginx-mod-mail-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 86ae64b39d58eb3e68c68b91d16a2ce8f3659693f09f32d70de6040b6ef0cdc5 nginx-mod-stream-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: f45eb070ec33584bacbed9d647195bd572d3df5ef7b3631cc8c73c6c55481c71 nginx-mod-stream-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 27a7f4ded6045a368a570135a3d21855a080c5a27e7069afa7a4f05022d983d6 nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 Red Hat Enterprise Linux Server - AUS 9.6 SRPM nginx-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.src.rpm SHA-256: 4b9118988192c5b5bf5198eb36a16eea1a510f8f8902ab092793bc4bd01d2cb4 x86_64 nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 nginx-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 27c6397beeca9fe00a4f9ca118a7b3df17b5f7da64f6b00312d92a2c127e68ae nginx-all-modules-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: 5b896e505e6e4fb4d3c6b6dd03b8d8c65b80cd5ddc40782f9a93000d2e741d39 nginx-core-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 01735b3457e49b7dd6b78c1f8a33e1521a415ea97004b97b544e17bd9c0d94e5 nginx-core-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 3167d55fb5b6a2e609aa96d6cbf92ff7d004c9860ad267a4faf52db9ef312df9 nginx-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 99e359282b17b1fe8fff0298945b65d2bd1f5e47d6e503959af520b71945ec5c nginx-debugsource-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 9845edc2bcc20033d71c8e50a75eb6af4300c0913310adb775d4e8d3d819d96a nginx-filesystem-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.noarch.rpm SHA-256: d32195bcd192e726dec48a481d46b85129b23e145da1c5beafb587b8a16ed1d8 nginx-mod-devel-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 5711f68e3eab89d0c912a6cf041dcec4b830b502769adfc59a39bb5e710206b0 nginx-mod-http-image-filter-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 47ea9fc7b8145e0340be741bfbc3be2937b86e37083efd21f06f51dba78878bc nginx-mod-http-image-filter-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 4e9bf980816d29ea6f72afffad5110a3cf966a942662922ee2e4e74882505792 nginx-mod-http-perl-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 3b2256fb54dc75611bed7f838c46d60839f5b6756736498787daa7fb969b3acf nginx-mod-http-perl-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: bb2eb1cf51a0c14e2e1c3981cf3602d128084030fea94b3ec900f0fadc95e4ff nginx-mod-http-xslt-filter-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 0e1e762be0e87880826eec68c7345a2cae06c564b0d2f39fda620f86d6917964 nginx-mod-http-xslt-filter-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: dc0efb80e503d9d6b3636123103d60077ff703b189128dc0df3af26fb0d01a24 nginx-mod-mail-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: b1006de9c3f80daf5d0c5cb0e7ca90bdcaab422ddef69aaa1e3ba23d5b78c338 nginx-mod-mail-debuginfo-1.24.0-4.module+el9.6.0+24259+49d2cefe.2.x86_64.rpm SHA-256: 86ae64b39d58eb3e68c68b91d16a2ce8f3659693f09f32d70de6040b6ef0cdc5 nginx-mod-stream-1.24.0-4.module+el