It was discovered that the nginx ngx_mail_auth_http_module module incorrectly handled certain requests. An attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. (CVE-2026-27651)
It was discovered that the nginx ngx_http_dav_module module incorrectly handled certain destination URIs. An attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly modify source or destination names outside of the document root. (CVE-2026-27654)
It was discovered that the nginx ngx_http_mp4_module module incorrectly handled certain MP4 files. An attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-27784, CVE-2026-32647)
It was discovered that the nginx ngx_mail_smtp_module module incorrectly handled certain CRLF sequences. An attacker could possibly use this issue to inject arbitrary SMTP headers. (CVE-2026-28753)
It was discovered that the nginx ngx_stream_ssl_module module incorrectly handled revoked certificates. This could result in successful TLS handshakes even after an OCSP check identifies a certificate as revoked, contrary to expectations. This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-28755)
1.18.0-6ubuntu14.101.24.0-2ubuntu7.71.28.0-6ubuntu1.2