Nginx and CVE-2026-49975

jurajkavka · June 3, 2026, 11:00am

Hello,

We are running Rocky Linux 9 where is nginx 1.26.3 as default version. Today I’m reading about a Hidden HTTP/2 Bomb that should be fixed in nginx 1.29.8+

Please could some of the maintainers check patch for supported nginx 1.26.3 if it can be applied? For the time I have to disable http2.

Source:

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

Thank You.

J.

iwalker · June 3, 2026, 11:35am

Since Rocky is based on RHEL, then RHEL will be the ones who check and backport a fix if it’s needed. Only at that point will it be in Rocky.

Topic		Replies	Views
Nginx and CVE-2026–42945 Rocky Linux Help & Support rocky-linux-9	4	306	June 3, 2026
Nginx 1.20 available at Rocky8-appstream Rocky Linux Help & Support	3	192	February 20, 2026
Legacy version of nginx installed by default Rocky Linux Help & Support rocky-linux-9	4	2871	October 9, 2023
How can I update httpd to 2.4.62 Rocky Linux Help & Support rocky-linux-9	12	5004	September 16, 2024
The latest httpd rpm version in Rocky 8 is vulnerable and fix not available Rocky Linux Help & Support rocky-linux-8	6	1016	October 9, 2024

Nginx and CVE-2026-49975

Related topics