CVE-2026-27651 — NGINX ngx_mail_auth_http_module NULL Pointer Dereference

Executive Summary

A NULL pointer dereference vulnerability (CVE-2026-27651) has been disclosed in F5 NGINX Plus and NGINX Open Source affecting the ngx_mail_auth_http_module. When specific conditions are met, undisclosed requests can cause NGINX worker processes to terminate, resulting in a denial-of-service (DoS) condition.

CVSS Score: 7.5 (High) CWE: CWE-476 — NULL Pointer Dereference

The vulnerability requires the mail proxy module to be enabled and a particular combination of authentication method and backend server configuration. Organisations using NGINX for mail proxying with CRAM-MD5 or APOP authentication should treat this as an urgent remediation item.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-27651
CVSS Score	7.5 (High)
CWE	CWE-476 — NULL Pointer Dereference
Type	Denial of Service (Worker Process Crash)
Attack Vector	Network
Privileges Required	None
User Interaction	None
Patch Available	Yes — apply vendor security fix

Affected Products

Product	Condition	Remediation
NGINX Plus (all supported versions)	ngx_mail_auth_http_module enabled + CRAM-MD5 or APOP auth + Auth-Wait retry permitted	Apply F5 security patch
NGINX Open Source (all supported versions)	Same conditions as above	Apply upstream patch

Note: Software versions that have reached End of Technical Support (EoTS) are not evaluated against this CVE.

Technical Analysis

Conditions Required for Exploitation

Three conditions must be simultaneously present for this vulnerability to be triggered:

The ngx_mail_auth_http_module module must be enabled in the NGINX configuration
CRAM-MD5 or APOP authentication must be configured as the authentication method
The upstream authentication server must be configured to permit retry by returning the Auth-Wait response header

When all three conditions are present, a specially crafted or otherwise undisclosed request can cause a NULL pointer dereference within the mail authentication handling code, crashing the worker process.

Root Cause

The vulnerability resides in the mail authentication HTTP module (ngx_mail_auth_http_module). During the CRAM-MD5 or APOP authentication exchange, when the backend authentication server responds with an Auth-Wait header (indicating the client may retry), the code path responsible for handling the retry state dereferences a pointer that has not been properly initialised or has been freed, resulting in a NULL pointer dereference.

Impact

A successful exploitation causes the NGINX worker process to terminate. In a default multi-worker configuration, NGINX's master process will respawn the worker, meaning the outage is typically brief. However:

Under sustained attack, continuous worker crashes could degrade throughput or create a persistent denial-of-service condition
Mail proxy connections in flight at the time of the crash are dropped
The impact is limited to the mail proxy subsystem — HTTP traffic handled by separate workers is unaffected

Impact Assessment

Impact Area	Description
Denial of Service	Worker process crashes, disrupting mail proxy connections
Mail Proxy Availability	SMTP, IMAP, POP3 proxying disrupted during crash/respawn cycle
HTTP Traffic	Unaffected — HTTP workers are separate
Data Confidentiality	Not directly impacted
Data Integrity	Not directly impacted

Immediate Remediation

Step 1: Apply the F5 / NGINX Security Patch

Apply the security fix provided by F5 for NGINX Plus, or update to the patched version of NGINX Open Source.

# Check current NGINX version
nginx -v
 
# For NGINX Plus — update via F5 customer portal
# For NGINX Open Source — update via package manager
apt-get update && apt-get upgrade nginx   # Debian/Ubuntu
yum update nginx                           # RHEL/CentOS/Rocky

Step 2: Disable the Vulnerable Module (Interim Workaround)

If patching cannot be performed immediately, disable the ngx_mail_auth_http_module or change the authentication method:

# Option A: Remove or comment out mail block entirely (if mail proxy not needed)
# mail { ... }   <-- comment out
 
# Option B: Switch to a non-vulnerable auth method (avoid CRAM-MD5 / APOP)
mail {
    auth_http_header X-Auth-Key "secretkey";
    # Use PLAIN or LOGIN instead of CRAM-MD5 / APOP where possible
}

Step 3: Configure Authentication Server to Disallow Retries

Modify the upstream authentication server to not return the Auth-Wait header. This removes one of the three required conditions:

# Verify your auth_http server does not send Auth-Wait in responses
# This is a server-side configuration change on the authentication backend

Step 4: Review NGINX Configuration

# Confirm whether ngx_mail_auth_http_module is compiled in
nginx -V 2>&1 | grep -o 'mail'
 
# Check for mail {} blocks in active configuration
grep -r "^mail" /etc/nginx/ --include="*.conf"
 
# Check for auth mechanism
grep -r "CRAM-MD5\|APOP" /etc/nginx/ --include="*.conf"

Detection Indicators

Indicator	Description
Unexpected NGINX worker process respawns	Visible in `nginx error.log` and system process table
Error log entries referencing null pointer or segfault in mail module	`[alert] worker process exited on signal 11`
Repeated connections to mail auth backend with `Auth-Wait` responses	Visible in auth server access logs
Degraded IMAP/SMTP/POP3 proxy throughput	Clients experiencing connection resets or delays

# Monitor NGINX error log for worker crashes
tail -f /var/log/nginx/error.log | grep -i "worker process"
 
# Check for segfault events in kernel ring buffer
dmesg | grep -i nginx | tail -20
 
# Monitor NGINX process count (should stay stable at configured worker count)
watch -n 2 'pgrep -c nginx'

Post-Remediation Checklist

Patch NGINX Plus or NGINX Open Source to the fixed version
Verify the patch is applied by checking the version string
Review all NGINX mail proxy configurations for CRAM-MD5 / APOP usage
Harden authentication server configuration to disallow unnecessary retries
Monitor NGINX error logs for any residual worker crash events after patching
Document change in your vulnerability management system

References