RHEL-159450 CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled

Resolves: RHEL-159450 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
2026-04-14 12:12:39 +02:00 · 2026-04-14 12:12:39 +02:00 · ab4f9d9a3b
commit ab4f9d9a3b
parent 8bdb892b28
2 changed files with 37 additions and 0 deletions
--- a/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
+++ b/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
@ -0,0 +1,31 @@
+From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 18 Mar 2026 16:39:37 +0400
+Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
+
+Previously, it was not properly cleared retaining length as part of
+authenticating with CRAM-MD5 and APOP methods that expect to receive
+password in auth response.  This resulted in null pointer dereference
+and worker process crash in subsequent auth attempts with CRAM-MD5.
+
+Reported by Arkadi Vainbrand.
+---
+ src/mail/ngx_mail_auth_http_module.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
+index 4ca6d6e24..3e5095a2d 100644
+--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
+@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
+         b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
+         b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
+ 
+-        s->passwd.data = NULL;
+        ngx_str_null(&s->passwd);
+     }
+ 
+     b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
+-- 
+2.53.0
+
--- a/nginx.spec
+++ b/nginx.spec
@ -132,6 +132,10 @@ Patch16:           0016-Dav-destination-length-validation-for-COPY-and-MOVE.patc
 # upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
 Patch17:           0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch

+# https://redhat.atlassian.net/browse/RHEL-159450
+# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
+Patch18:           0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -653,6 +657,8 @@ fi
  or file modification via buffer overflow in ngx_http_dav_module
 - Resolves: RHEL-159542 - CVE-2026-27784 nginx: NGINX: Denial of Service
  due to memory corruption via crafted MP4 file
+- Resolves: RHEL-159450 - CVE-2026-27651 nginx: NGINX: Denial of Service
+  via undisclosed requests when ngx_mail_auth_http_module is enabled

 * Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
 - Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via