Merge PR "[AUTO-CHERRYPICK] [High] Patch nginx for CVE-2026-49975 - branch 3.0-dev" microsoft#17634

CBL-Mariner-Bot · akhila-guruju · jslobodzian · web-flow · commit babfa30ad514 · 2026-06-05T11:05:32.000-07:00
Co-authored-by: Akhila Guruju &lt;v-guakhila@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/nginx/CVE-2026-49975.patch b/SPECS/nginx/CVE-2026-49975.patch
@@ -0,0 +1,147 @@
+From 148dfa3d5f59442041193e01b3ab29addf2dc8e6 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Fri, 24 May 2024 00:20:01 +0300
+Subject: [PATCH] Added max_headers directive.
+
+The directive limits the number of request headers accepted from clients.
+While the total amount of headers is believed to be sufficiently limited
+by the existing buffer size limits (client_header_buffer_size and
+large_client_header_buffers), the additional limit on the number of headers
+might be beneficial to better protect backend servers.
+
+Requested by Maksim Yevmenkin.
+
+Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
+Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
+
+Upstream Patch reference: https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2.patch
+Upstream PR: https://github.com/nginx/nginx/pull/1116
+---
+ src/http/ngx_http_core_module.c   | 10 ++++++++++
+ src/http/ngx_http_core_module.h   |  2 ++
+ src/http/ngx_http_request.c       |  9 +++++++++
+ src/http/ngx_http_request.h       |  1 +
+ src/http/v2/ngx_http_v2.c         |  9 +++++++++
+ src/http/v3/ngx_http_v3_request.c |  9 +++++++++
+ 6 files changed, 40 insertions(+)
+
+diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
+index a2ff53f82f..0c46106db6 100644
+--- a/src/http/ngx_http_core_module.c
++++ b/src/http/ngx_http_core_module.c
+@@ -252,6 +252,13 @@ static ngx_command_t  ngx_http_core_commands[] = {
+       offsetof(ngx_http_core_srv_conf_t, large_client_header_buffers),
+       NULL },
+ 
++    { ngx_string("max_headers"),
++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_HTTP_SRV_CONF_OFFSET,
++      offsetof(ngx_http_core_srv_conf_t, max_headers),
++      NULL },
++
+     { ngx_string("ignore_invalid_headers"),
+       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+       ngx_conf_set_flag_slot,
+@@ -3511,6 +3518,7 @@ ngx_http_core_create_srv_conf(ngx_conf_t *cf)
+     cscf->request_pool_size = NGX_CONF_UNSET_SIZE;
+     cscf->client_header_timeout = NGX_CONF_UNSET_MSEC;
+     cscf->client_header_buffer_size = NGX_CONF_UNSET_SIZE;
++    cscf->max_headers = NGX_CONF_UNSET_UINT;
+     cscf->ignore_invalid_headers = NGX_CONF_UNSET;
+     cscf->merge_slashes = NGX_CONF_UNSET;
+     cscf->underscores_in_headers = NGX_CONF_UNSET;
+@@ -3552,6 +3560,8 @@ ngx_http_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+         return NGX_CONF_ERROR;
+     }
+ 
++    ngx_conf_merge_uint_value(conf->max_headers, prev->max_headers, 1000);
++
+     ngx_conf_merge_value(conf->ignore_invalid_headers,
+                               prev->ignore_invalid_headers, 1);
+ 
+diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
+index 6062d3a232..a13d7ade56 100644
+--- a/src/http/ngx_http_core_module.h
++++ b/src/http/ngx_http_core_module.h
+@@ -199,6 +199,8 @@ typedef struct {
+ 
+     ngx_msec_t                  client_header_timeout;
+ 
++    ngx_uint_t                  max_headers;
++
+     ngx_flag_t                  ignore_invalid_headers;
+     ngx_flag_t                  merge_slashes;
+     ngx_flag_t                  underscores_in_headers;
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 7305af132d..a9573a6207 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -1494,6 +1494,15 @@ ngx_http_process_request_headers(ngx_event_t *rev)
+ 
+             /* a header line has been parsed successfully */
+ 
++            if (r->headers_in.count++ >= cscf->max_headers) {
++                r->lingering_close = 1;
++                ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                              "client sent too many header lines");
++                ngx_http_finalize_request(r,
++                                          NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
++                break;
++            }
++
+             h = ngx_list_push(&r->headers_in.headers);
+             if (h == NULL) {
+                 ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
+index 7a77498eb5..48eb43eb0f 100644
+--- a/src/http/ngx_http_request.h
++++ b/src/http/ngx_http_request.h
+@@ -184,6 +184,7 @@ typedef struct {
+ 
+ typedef struct {
+     ngx_list_t                        headers;
++    ngx_uint_t                        count;
+ 
+     ngx_table_elt_t                  *host;
+     ngx_table_elt_t                  *connection;
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 49ea25edef..efe22903fa 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -1823,6 +1823,15 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+         }
+ 
+     } else {
++        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
++
++        if (r->headers_in.count++ >= cscf->max_headers) {
++            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
++                          "client sent too many header lines");
++            ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
++            goto error;
++        }
++
+         h = ngx_list_push(&r->headers_in.headers);
+         if (h == NULL) {
+             return ngx_http_v2_connection_error(h2c,
+diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
+index 6865e14664..7bb61311d9 100644
+--- a/src/http/v3/ngx_http_v3_request.c
++++ b/src/http/v3/ngx_http_v3_request.c
+@@ -665,6 +665,15 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
+         }
+ 
+     } else {
++        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
++
++        if (r->headers_in.count++ >= cscf->max_headers) {
++            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
++                          "client sent too many header lines");
++            ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
++            return NGX_ERROR;
++        }
++
+         h = ngx_list_push(&r->headers_in.headers);
+         if (h == NULL) {
+             ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec
@@ -6,7 +6,7 @@ Name:           nginx
 # Currently on "stable" version of nginx from https://nginx.org/en/download.html.
 # Note: Stable versions are even (1.20), mainline versions are odd (1.21)
 Version:        1.28.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD-2-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -31,6 +31,7 @@ Patch8:         CVE-2026-42934.patch
 Patch9:         CVE-2026-42945.patch
 Patch10:        CVE-2026-42946.patch
 Patch11:        CVE-2026-9256.patch
+Patch12:        CVE-2026-49975.patch
 
 # njs patches start at 1001 to keep them separate from nginx patches
 Patch1001:      CVE-2026-8711.patch
@@ -183,6 +184,9 @@ rm -rf nginx-tests
 %dir %{_sysconfdir}/%{name}
 
 %changelog
+* Fri Jun 05 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.28.3-5
+- Patch for CVE-2026-49975
+
 * Wed May 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.28.3-4
 - Patch for CVE-2026-9256
 
