Version in base suite: 1.26.3-3+deb13u4 Version in overlay suite: 1.26.3-3+deb13u5 Base version: nginx_1.26.3-3+deb13u5 Target version: nginx_1.26.3-3+deb13u6 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.26.3-3+deb13u5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.26.3-3+deb13u6.dsc changelog | 23 ++ patches/CVE-2026-42946.1.patch | 42 +++++ patches/CVE-2026-42946.2.patch | 84 ++++++++++ patches/CVE-2026-42946.patch | 88 ----------- patches/CVE-2026-9256.patch | 73 +++++++++ patches/FIX-HTTP2bomb.patch | 319 +++++++++++++++++++++++++++++++++++++++++ patches/series | 5 7 files changed, 545 insertions(+), 89 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmm7tm97z/nginx_1.26.3-3+deb13u5.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmm7tm97z/nginx_1.26.3-3+deb13u6.dsc: no acceptable signature found diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2026-05-15 14:13:33.000000000 +0000 +++ nginx-1.26.3/debian/changelog 2026-06-05 12:22:02.000000000 +0000 @@ -1,3 +1,26 @@ +nginx (1.26.3-3+deb13u6) trixie-security; urgency=medium + + * Apply both patches to fix CVE-2026-42946. In the previous version, + only one part of the patch was applied, so the fix was incomplete. + This really fixes CVE-2026-42946, thanks to charles@debian.org for + pointing it out. + * d/p/CVE-2026-42946.patch rename to d/p/CVE-2026-42946.2.patch + * d/p/CVE-2026-42946.1.patch add + * backport fix for buffer overflow vulnerability in the + ngx_http_rewrite_module (CVE-2026-9256) from upstream 1.30.2 nginx. + * d/p/CVE-2026-9256.patch add + * backport max_headers directive from upstream nginx. It limits the number + of request headers accepted from clients. Fixes remote denial-of-service + exploit. + And move max_headers from core module to the ngx_http_header_count_module + to avoid potential ABI breakage and keep all the 3rd party modules + compatible with the new version of nginx without recompilation. + A big thanks to Miao Wang for preparing the modification. + Fixes TEMP-1138794-BADE22. + * d/p/FIX-HTTP2bomb.patch add + + -- Jan Mojžíš Fri, 05 Jun 2026 12:22:02 +0000 + nginx (1.26.3-3+deb13u5) trixie-security; urgency=medium * backport changes from upstream nginx, HTTP/3 address spoofing diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42946.1.patch nginx-1.26.3/debian/patches/CVE-2026-42946.1.patch --- nginx-1.26.3/debian/patches/CVE-2026-42946.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42946.1.patch 2026-06-05 12:22:02.000000000 +0000 @@ -0,0 +1,42 @@ +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 21:56:51 +0400 +Subject: Upstream: reset parsing state after invalid status line + +Previously, it was possible to start parsing headers with a wrong +parsing state after status line was not recognized, as a fallback +used in the scgi and uwsgi modules. + +Reported by Leo Lin. + +Origin: upstream, https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e +Forwarded: not-needed +Last-Update: 2026-05-18 +--- + src/http/modules/ngx_http_scgi_module.c | 1 + + src/http/modules/ngx_http_uwsgi_module.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index 7216f78..c10e3b4 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -984,6 +984,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ r->state = 0; + return ngx_http_scgi_process_header(r); + } + +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index 56dc236..17880b3 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1194,6 +1194,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ r->state = 0; + return ngx_http_uwsgi_process_header(r); + } + diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42946.2.patch nginx-1.26.3/debian/patches/CVE-2026-42946.2.patch --- nginx-1.26.3/debian/patches/CVE-2026-42946.2.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42946.2.patch 2026-06-05 12:22:02.000000000 +0000 @@ -0,0 +1,84 @@ +Origin: https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd +From: Sergey Kandaurov +Date: Wed, 29 Apr 2026 23:02:20 +0400 +Subject: [PATCH] Upstream: fixed parsing of split status lines + +If the first response line was split across reads and it didn't appear +a status line, the portion already processed was lost. To preserve ABI, +the change reuses r->header_name_start for proper backtracking on status +line fallback. +--- + src/http/modules/ngx_http_proxy_module.c | 5 +++++ + src/http/modules/ngx_http_scgi_module.c | 5 +++++ + src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c +index 3aafb99..dfecb00 100644 +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -1728,6 +1728,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); + + if (rc == NGX_AGAIN) { +@@ -1735,6 +1739,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) + } + + if (rc == NGX_ERROR) { ++ u->buffer.pos = r->header_name_start; + + #if (NGX_HTTP_CACHE) + +diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c +index c10e3b4..6b80218 100644 +--- a/src/http/modules/ngx_http_scgi_module.c ++++ b/src/http/modules/ngx_http_scgi_module.c +@@ -976,6 +976,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -984,6 +988,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_scgi_process_header; ++ u->buffer.pos = r->header_name_start; + r->state = 0; + return ngx_http_scgi_process_header(r); + } +diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c +index 17880b3..c605226 100644 +--- a/src/http/modules/ngx_http_uwsgi_module.c ++++ b/src/http/modules/ngx_http_uwsgi_module.c +@@ -1186,6 +1186,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + u = r->upstream; + ++ if (r->state == 0) { ++ r->header_name_start = u->buffer.pos; ++ } ++ + rc = ngx_http_parse_status_line(r, &u->buffer, status); + + if (rc == NGX_AGAIN) { +@@ -1194,6 +1198,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) + + if (rc == NGX_ERROR) { + u->process_header = ngx_http_uwsgi_process_header; ++ u->buffer.pos = r->header_name_start; + r->state = 0; + return ngx_http_uwsgi_process_header(r); + } diff -Nru nginx-1.26.3/debian/patches/CVE-2026-42946.patch nginx-1.26.3/debian/patches/CVE-2026-42946.patch --- nginx-1.26.3/debian/patches/CVE-2026-42946.patch 2026-05-15 14:13:33.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-42946.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -Origin: https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd -From 39d7d0ba0799fcff6baee52b6525f45739593cfd Mon Sep 17 00:00:00 2001 -From: Sergey Kandaurov -Date: Wed, 29 Apr 2026 23:02:20 +0400 -Subject: [PATCH] Upstream: fixed parsing of split status lines - -If the first response line was split across reads and it didn't appear -a status line, the portion already processed was lost. To preserve ABI, -the change reuses r->header_name_start for proper backtracking on status -line fallback. ---- - src/http/modules/ngx_http_proxy_module.c | 5 +++++ - src/http/modules/ngx_http_scgi_module.c | 5 +++++ - src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ - 3 files changed, 15 insertions(+) - -diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c -index 0b388b30f..276cc0750 100644 ---- a/src/http/modules/ngx_http_proxy_module.c -+++ b/src/http/modules/ngx_http_proxy_module.c -@@ -1752,6 +1752,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) - - u = r->upstream; - -+ if (r->state == 0) { -+ r->header_name_start = u->buffer.pos; -+ } -+ - rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); - - if (rc == NGX_AGAIN) { -@@ -1759,6 +1763,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) - } - - if (rc == NGX_ERROR) { -+ u->buffer.pos = r->header_name_start; - - #if (NGX_HTTP_CACHE) - -diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c -index 290394a1f..b4a73a5a6 100644 ---- a/src/http/modules/ngx_http_scgi_module.c -+++ b/src/http/modules/ngx_http_scgi_module.c -@@ -1028,6 +1028,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) - - u = r->upstream; - -+ if (r->state == 0) { -+ r->header_name_start = u->buffer.pos; -+ } -+ - rc = ngx_http_parse_status_line(r, &u->buffer, status); - - if (rc == NGX_AGAIN) { -@@ -1036,6 +1040,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) - - if (rc == NGX_ERROR) { - u->process_header = ngx_http_scgi_process_header; -+ u->buffer.pos = r->header_name_start; - return ngx_http_scgi_process_header(r); - } - -diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c -index 4140b1b40..ecd6dd0d7 100644 ---- a/src/http/modules/ngx_http_uwsgi_module.c -+++ b/src/http/modules/ngx_http_uwsgi_module.c -@@ -1267,6 +1267,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) - - u = r->upstream; - -+ if (r->state == 0) { -+ r->header_name_start = u->buffer.pos; -+ } -+ - rc = ngx_http_parse_status_line(r, &u->buffer, status); - - if (rc == NGX_AGAIN) { -@@ -1275,6 +1279,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) - - if (rc == NGX_ERROR) { - u->process_header = ngx_http_uwsgi_process_header; -+ u->buffer.pos = r->header_name_start; - return ngx_http_uwsgi_process_header(r); - } - --- -2.53.0 - diff -Nru nginx-1.26.3/debian/patches/CVE-2026-9256.patch nginx-1.26.3/debian/patches/CVE-2026-9256.patch --- nginx-1.26.3/debian/patches/CVE-2026-9256.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/CVE-2026-9256.patch 2026-06-05 12:22:02.000000000 +0000 @@ -0,0 +1,73 @@ +Origin: https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068 +From 3f135ae2eb60ce376196c898a6c7cb4d774f7068 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 14 May 2026 18:42:18 +0400 +Subject: [PATCH] Rewrite: fix buffer overflow with overlapping captures + +When the rewrite replacement string had no variables, but had +overlapping captures, the length of the allocated buffer could be +smaller than the replacement string. This could happen either +when the "redirect" parameter is specified, or when arguments are +present in the replacement string. + +The following configurations resulted in heap buffer overflow when +using URI "/++++++++++++++++++++++++++++++": + + location / { + rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect; + return 200 foo; + } + + location / { + rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2; + return 200 foo; + } + +Reported by Mufeed VH of Winfunc Research. +--- + src/http/ngx_http_script.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index 2ea611373..8a28e23a6 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1037,6 +1037,8 @@ ngx_http_script_start_args_code(ngx_http_script_engine_t *e) + void + ngx_http_script_regex_start_code(ngx_http_script_engine_t *e) + { ++ int *cap; ++ u_char *p; + size_t len; + ngx_int_t rc; + ngx_uint_t n; +@@ -1143,15 +1145,19 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e) + if (code->lengths == NULL) { + e->buf.len = code->size; + +- if (code->uri) { +- if (r->ncaptures && (r->quoted_uri || r->plus_in_uri)) { +- e->buf.len += 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, +- NGX_ESCAPE_ARGS); +- } +- } ++ cap = r->captures; ++ p = r->captures_data; + + for (n = 2; n < r->ncaptures; n += 2) { +- e->buf.len += r->captures[n + 1] - r->captures[n]; ++ e->buf.len += cap[n + 1] - cap[n]; ++ ++ if (code->uri) { ++ if (r->quoted_uri || r->plus_in_uri) { ++ e->buf.len += 2 * ngx_escape_uri(NULL, &p[cap[n]], ++ cap[n + 1] - cap[n], ++ NGX_ESCAPE_ARGS); ++ } ++ } + } + + } else { +-- +2.53.0 + diff -Nru nginx-1.26.3/debian/patches/FIX-HTTP2bomb.patch nginx-1.26.3/debian/patches/FIX-HTTP2bomb.patch --- nginx-1.26.3/debian/patches/FIX-HTTP2bomb.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.26.3/debian/patches/FIX-HTTP2bomb.patch 2026-06-05 12:22:02.000000000 +0000 @@ -0,0 +1,319 @@ +From 365694160a85229a7cb006738de9260d49ff5fa2 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin +Date: Fri, 24 May 2024 00:20:01 +0300 +Subject: [PATCH] Added max_headers directive. + +The directive limits the number of request headers accepted from clients. +While the total amount of headers is believed to be sufficiently limited +by the existing buffer size limits (client_header_buffer_size and +large_client_header_buffers), the additional limit on the number of headers +might be beneficial to better protect backend servers. + +Requested by Maksim Yevmenkin. + +The original patch was modified so that the header count and the limit are +stored in a separate module, ngx_http_header_count_module, instead of the +core module. This allows to avoid changing the size of existing structures +and thus avoid potential ABI breakage and keep all the 3rd party modules +compatible with the new version of nginx without recompilation. + +Signed-off-by: Elijah Zupancic +Origin: +--- + auto/modules | 1 + + src/http/ngx_http_core_module.c | 73 +++++++++++++++++++++++++++++++++++++++ + src/http/ngx_http_header_count.hh | 14 ++++++++ + src/http/ngx_http_request.c | 24 +++++++++++++ + src/http/v2/ngx_http_v2.c | 14 ++++++++ + src/http/v3/ngx_http_v3_request.c | 14 ++++++++ + 6 files changed, 140 insertions(+) + create mode 100644 src/http/ngx_http_header_count.hh + +diff --git a/auto/modules b/auto/modules +index 1a5e421..e7632fd 100644 +--- a/auto/modules ++++ b/auto/modules +@@ -67,6 +67,7 @@ if [ $HTTP = YES ]; then + ngx_module_name="ngx_http_module \ + ngx_http_core_module \ + ngx_http_log_module \ ++ ngx_http_header_count_module \ + ngx_http_upstream_module" + ngx_module_incs="src/http src/http/modules" + ngx_module_deps="src/http/ngx_http.h \ +diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c +index 033a3bf..c736d83 100644 +--- a/src/http/ngx_http_core_module.c ++++ b/src/http/ngx_http_core_module.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + + typedef struct { +@@ -39,6 +40,10 @@ static void *ngx_http_core_create_loc_conf(ngx_conf_t *cf); + static char *ngx_http_core_merge_loc_conf(ngx_conf_t *cf, + void *parent, void *child); + ++static void *ngx_http_header_count_create_srv_conf(ngx_conf_t *cf); ++static char *ngx_http_header_count_merge_srv_conf(ngx_conf_t *cf, ++ void *parent, void *child); ++ + static char *ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, + void *dummy); + static char *ngx_http_core_location(ngx_conf_t *cf, ngx_command_t *cmd, +@@ -812,6 +817,48 @@ ngx_module_t ngx_http_core_module = { + NGX_MODULE_V1_PADDING + }; + ++static ngx_command_t ngx_http_header_count_commands[] = { ++ ++ { ngx_string("max_headers"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_HTTP_SRV_CONF_OFFSET, ++ offsetof(ngx_http_header_count_conf_t, max_headers), ++ NULL }, ++ ++ ngx_null_command ++}; ++ ++static ngx_http_module_t ngx_http_header_count_module_ctx = { ++ NULL, /* preconfiguration */ ++ NULL, /* postconfiguration */ ++ ++ NULL, /* create main configuration */ ++ NULL, /* init main configuration */ ++ ++ ngx_http_header_count_create_srv_conf, /* create server configuration */ ++ ngx_http_header_count_merge_srv_conf, /* merge server configuration */ ++ ++ NULL, /* create location configuration */ ++ NULL /* merge location configuration */ ++}; ++ ++ ++ngx_module_t ngx_http_header_count_module = { ++ NGX_MODULE_V1, ++ &ngx_http_header_count_module_ctx, /* module context */ ++ ngx_http_header_count_commands, /* module directives */ ++ NGX_HTTP_MODULE, /* module type */ ++ NULL, /* init master */ ++ NULL, /* init module */ ++ NULL, /* init process */ ++ NULL, /* init thread */ ++ NULL, /* exit thread */ ++ NULL, /* exit process */ ++ NULL, /* exit master */ ++ NGX_MODULE_V1_PADDING ++}; ++ + + ngx_str_t ngx_http_core_get_method = { 3, (u_char *) "GET" }; + +@@ -3653,6 +3700,32 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) + } + + ++static void * ++ngx_http_header_count_create_srv_conf(ngx_conf_t *cf) ++{ ++ ngx_http_header_count_conf_t *hccf; ++ ++ hccf = ngx_pcalloc(cf->pool, sizeof(ngx_http_header_count_conf_t)); ++ if (hccf == NULL) { ++ return NULL; ++ } ++ ++ hccf->max_headers = NGX_CONF_UNSET_UINT; ++ return hccf; ++} ++ ++static char * ++ngx_http_header_count_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ++{ ++ ngx_http_header_count_conf_t *prev = parent; ++ ngx_http_header_count_conf_t *conf = child; ++ ++ ngx_conf_merge_uint_value(conf->max_headers, prev->max_headers, 1000); ++ ++ return NGX_CONF_OK; ++} ++ ++ + static ngx_str_t ngx_http_core_text_html_type = ngx_string("text/html"); + static ngx_str_t ngx_http_core_image_gif_type = ngx_string("image/gif"); + static ngx_str_t ngx_http_core_image_jpeg_type = ngx_string("image/jpeg"); +diff --git a/src/http/ngx_http_header_count.hh b/src/http/ngx_http_header_count.hh +new file mode 100644 +index 0000000..6a8b86d +--- /dev/null ++++ b/src/http/ngx_http_header_count.hh +@@ -0,0 +1,14 @@ ++#ifndef _NGX_HTTP_HEADER_COUNT_H_INCLUDED_ ++#define _NGX_HTTP_HEADER_COUNT_H_INCLUDED_ ++ ++typedef struct { ++ ngx_uint_t count; ++} ngx_http_header_count_t; ++ ++typedef struct { ++ ngx_uint_t max_headers; ++} ngx_http_header_count_conf_t; ++ ++extern ngx_module_t ngx_http_header_count_module; ++ ++#endif /* _NGX_HTTP_HEADER_COUNT_H_INCLUDED_ */ +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 9593b7f..88165b4 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + + static void ngx_http_wait_request_handler(ngx_event_t *ev); +@@ -565,6 +566,7 @@ ngx_http_alloc_request(ngx_connection_t *c) + ngx_http_connection_t *hc; + ngx_http_core_srv_conf_t *cscf; + ngx_http_core_main_conf_t *cmcf; ++ ngx_http_header_count_t *hc_ctx; + + hc = c->data; + +@@ -626,6 +628,13 @@ ngx_http_alloc_request(ngx_connection_t *c) + return NULL; + } + ++ hc_ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_header_count_t)); ++ if (hc_ctx == NULL) { ++ ngx_destroy_pool(r->pool); ++ return NULL; ++ } ++ ngx_http_set_ctx(r, hc_ctx, ngx_http_header_count_module); ++ + #if (NGX_HTTP_SSL) + if (c->ssl && !c->ssl->sendfile) { + r->main_filter_need_in_memory = 1; +@@ -1399,6 +1408,8 @@ ngx_http_process_request_headers(ngx_event_t *rev) + ngx_http_request_t *r; + ngx_http_core_srv_conf_t *cscf; + ngx_http_core_main_conf_t *cmcf; ++ ngx_http_header_count_conf_t *hccf; ++ ngx_http_header_count_t *hc_ctx; + + c = rev->data; + r = c->data; +@@ -1472,6 +1483,10 @@ ngx_http_process_request_headers(ngx_event_t *rev) + rc = ngx_http_parse_header_line(r, r->header_in, + cscf->underscores_in_headers); + ++ ++ hccf = ngx_http_get_module_srv_conf(r, ngx_http_header_count_module); ++ hc_ctx = ngx_http_get_module_ctx(r, ngx_http_header_count_module); ++ + if (rc == NGX_OK) { + + r->request_length += r->header_in->pos - r->header_name_start; +@@ -1489,6 +1504,15 @@ ngx_http_process_request_headers(ngx_event_t *rev) + + /* a header line has been parsed successfully */ + ++ if (hc_ctx->count++ >= hccf->max_headers) { ++ r->lingering_close = 1; ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many header lines"); ++ ngx_http_finalize_request(r, ++ NGX_HTTP_REQUEST_HEADER_TOO_LARGE); ++ break; ++ } ++ + h = ngx_list_push(&r->headers_in.headers); + if (h == NULL) { + ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 0f5bd3d..b340789 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + + /* errors */ +@@ -1712,6 +1713,8 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + ngx_http_v2_header_t *header; + ngx_http_core_srv_conf_t *cscf; + ngx_http_core_main_conf_t *cmcf; ++ ngx_http_header_count_conf_t *hccf; ++ ngx_http_header_count_t *hc_ctx; + + static ngx_str_t cookie = ngx_string("cookie"); + +@@ -1817,6 +1820,17 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + } + + } else { ++ cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ++ hccf = ngx_http_get_module_srv_conf(r, ngx_http_header_count_module); ++ hc_ctx = ngx_http_get_module_ctx(r, ngx_http_header_count_module); ++ ++ if (hc_ctx->count++ >= hccf->max_headers) { ++ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, ++ "client sent too many header lines"); ++ ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE); ++ goto error; ++ } ++ + h = ngx_list_push(&r->headers_in.headers); + if (h == NULL) { + return ngx_http_v2_connection_error(h2c, +diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c +index 0faddd2..a3e10ae 100644 +--- a/src/http/v3/ngx_http_v3_request.c ++++ b/src/http/v3/ngx_http_v3_request.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + + static void ngx_http_v3_init_request_stream(ngx_connection_t *c); +@@ -618,6 +619,8 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name, + ngx_http_header_t *hh; + ngx_http_core_srv_conf_t *cscf; + ngx_http_core_main_conf_t *cmcf; ++ ngx_http_header_count_conf_t *hccf; ++ ngx_http_header_count_t *hc_ctx; + + static ngx_str_t cookie = ngx_string("cookie"); + +@@ -665,6 +668,17 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name, + } + + } else { ++ cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ++ hccf = ngx_http_get_module_srv_conf(r, ngx_http_header_count_module); ++ hc_ctx = ngx_http_get_module_ctx(r, ngx_http_header_count_module); ++ ++ if (hc_ctx->count++ >= hccf->max_headers) { ++ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, ++ "client sent too many header lines"); ++ ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE); ++ return NGX_ERROR; ++ } ++ + h = ngx_list_push(&r->headers_in.headers); + if (h == NULL) { + ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); +-- +2.50.1 (Apple Git-155) + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2026-05-15 14:13:33.000000000 +0000 +++ nginx-1.26.3/debian/patches/series 2026-06-05 12:22:02.000000000 +0000 @@ -11,6 +11,9 @@ CVE-2026-32647.patch CVE-2026-40460.patch CVE-2026-42945.patch -CVE-2026-42946.patch +CVE-2026-42946.1.patch +CVE-2026-42946.2.patch CVE-2026-40701.patch CVE-2026-42934.patch +CVE-2026-9256.patch +FIX-HTTP2bomb.patch