Public bug reported: Affected: nginx 1.24.0-2ubuntu7.10, Ubuntu 24.04 LTS (noble), amd64. Introduced by USN-8398-1 / CVE-2026-49975. Last known-good: 1.24.0-2ubuntu7.9.
Summary: The CVE-2026-49975 fix added a `max_headers` field to core request/config structs (ngx_http_request.h, ngx_http_core_module.h; it also touches src/http/v2/ngx_http_v2.c). This changes the module ABI, but the `nginx-abi-1.24.0-1` virtual package was NOT bumped. Because the ABI version is unchanged, nginx-abi-dependent third-party module packages were not rebuilt and remain binary-incompatible with the new core. The in-tree module packages (image-filter, perl, xslt, etc.) rebuilt with the source and are fine; out-of-tree universe modules did not. Impact: Any noble host running a universe/third-party nginx dynamic module is broken after this update. Workers segfault on essentially every request, taking the site down. Confirmed with libnginx-mod-http-headers-more-filter 0.37-2build1. Steps to reproduce: 1. noble host with libnginx-mod-http-headers-more-filter loaded (load_module .../ngx_http_headers_more_filter_module.so;) and a `more_set_headers` directive in the config. 2. Upgrade nginx to 1.24.0-2ubuntu7.10 and restart. 3. curl -k https://127.0.0.1/ -H 'Host: example' -> connection drops with no HTTP response. Actual result (worker segfaults): nginx[...]: segfault at ... ip ... error 7 in ngx_http_headers_more_filter_module.so[...] nginx[...]: worker process ... exited on signal 11 (core dumped) Expected result: The module loads and serves normally, as it did on 1.24.0-2ubuntu7.9. Note (jammy vs noble): On Ubuntu 22.04 (jammy), these third-party modules ship inside the nginx source package and carry the same version string as core (e.g. USN-8038-1 shipped headers-more and others at 1.18.0-6ubuntu14.8), so they are rebuilt with every nginx USN and are unaffected. On noble these are separate packages gated by the `nginx-abi` dependency, which is why a missed ABI bump breaks them specifically. This is a noble-specific regression. Dependency evidence: $ dpkg -s libnginx-mod-http-headers-more-filter | grep Depends Depends: nginx-abi-1.24.0-1, libc6 (>= 2.14) The dependency stays satisfied across 7.9 -> 7.10 (same nginx-abi-1.24.0-1), so dpkg/apt never flag the now-incompatible module. Workaround: Downgrade the nginx core stack to 1.24.0-2ubuntu7.9 (the module stays at 0.37-2build1, which matches the 7.9 ABI). Service is restored. Note this re-exposes CVE-2026-49975 until a proper fix is available. Suggested fix: Bump nginx-abi-1.24.0-1 to reflect the struct/ABI change, and binNMU the dependent third-party module source packages (e.g. headers-more) so the universe modules are rebuilt against 7.10. References: USN-8398-1 CVE-2026-49975 ** Affects: nginx (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2156040 Title: nginx 1.24.0-2ubuntu7.10 (noble): ABI change in CVE-2026-49975 fix not reflected in nginx-abi, crashing third-party modules To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2156040/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
