NES for Ingress NGINX Release Notes

Comprehensive release notes and changelog for NES for Ingress NGINX, including security patches, bug fixes, and feature updates across all supported versions.

14 Patched Vulnerabilities

VEX Statements

Ingress NGINX

1.15.4 (NES) - May 18, 2026

Container Image: registry.nes.herodevs.com/nes/ingress-nginx:v1.15.1-nes-1.15.4

Helm Chart: HeroDevs/ingress-nginx --version 0.0.6 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.3 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.4)

This release backports the fix for CVE-2026-42945 ("NGINX Rift", CVSS 9.2, actively exploited in the wild) into the pinned NGINX 1.27.1 baseline. The NGINX base image rebuild also picks up Alpine 3.23.4 with newer curl/libcurl (8.19.0-r0), clearing five medium-severity curl CVEs along the way.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

NGINX

CVE-2026-42945 (Critical, CVSS 9.2) — "NGINX Rift" — heap buffer overrun in ngx_http_script_regex_end_code (the ngx_http_rewrite_module script engine). A rewrite whose replacement contains args sets is_args and never clears it; subsequent set/if evaluations then apply URL-escaping to captures and the destination buffer is allocated without accounting for the escape expansion. Active in-the-wild exploitation confirmed by VulnCheck. DoS (worker crash) readily reachable; RCE requires ASLR disabled. Patch: NES backport of upstream commit 2046b45a (fixed in nginx 1.31.0 mainline / 1.30.1 stable, released 2026-05-13) onto pinned 1.27.1; patch lives in nes-patches/nginx/. Reachability: the vulnerable code path is on the hot path for nearly every deployment because rewrite-target, canary routing, and X-Forwarded-* handling all generate the trigger pattern.

Alpine Packages

CVE-2025-14524 (Medium, CVSS 6.5) — curl/libcurl: OAuth2 bearer tokens leaked when an HTTP(S) request cross-protocol redirects to IMAP/LDAP/POP3/SMTP schemes. Fixed by rebuilding the NGINX base image (v2.2.9-nes.2 → v2.2.10-nes.1, Alpine 3.23.3 → 3.23.4, curl/libcurl 8.17.0-r1 → 8.19.0-r0). Not reachable — controller's curl usage is the OpenTelemetry C++ exporter only.
CVE-2025-14819 (Medium, CVSS 6.8) — curl/libcurl: libcurl accidentally reuses a CA store cached in memory with the partial-chain option reversed, potentially accepting untrusted TLS certificates on subsequent connections with altered SSL settings. Fixed by the same rebuild. Not reachable — OTel exporter uses a single static TLS config.
CVE-2026-1965 (Medium, CVSS 6.8) — curl/libcurl: libcurl incorrectly reuses authenticated connections with different credentials. Fixed by the same rebuild. Not reachable — OTel exporter uses a single static identity.
CVE-2026-3784 (Medium, CVSS 6.5) — curl/libcurl: HTTP proxy connection reuse with mismatched credentials allows authentication bypass. Fixed by the same rebuild (applied to both nginx-base and controller images). Not reachable — neither image routes user traffic through an HTTP proxy via curl.
CVE-2026-3805 (Medium, CVSS 6.3) — curl/libcurl: use-after-free in SMB request handling. Fixed by the same rebuild. Not reachable — controller does not use curl's SMB protocol support.

1.15.3 (NES) - May 4, 2026

Container Image: registry.nes.herodevs.com/nes/ingress-nginx:v1.15.1-nes-1.15.3

Helm Chart: HeroDevs/ingress-nginx --version 0.0.5 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.3 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.3)

This release addresses CVE-2026-27135 in the nghttp2-libs Alpine package, four Go standard library advisories patched by upgrading the Go toolchain to 1.26.3, and an HTTP/2 transport vulnerability in golang.org/x/net patched by bumping that module to v0.53.0.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

Alpine Packages

CVE-2026-27135 (High, CVSS 7.5) — nghttp2-libs: Denial-of-service via malformed HTTP/2 frames after session termination. Fixed by rebuilding the NGINX base image with nghttp2-libs 1.68.1-r0 (v2.2.9-nes.2 NGINX base respin).

Go Toolchain

GO-2026-4982 — html/template: Bypass of meta content URL escaping causes XSS. Fixed by upgrading Go 1.26.2 → 1.26.3.
GO-2026-4980 — html/template: Escaper bypass leads to XSS. Fixed by upgrading Go 1.26.2 → 1.26.3.
GO-2026-4971 — net: Panic in Dial and LookupPort when handling NUL byte on Windows. Fixed by upgrading Go 1.26.2 → 1.26.3. Not reachable in this build (controller runs on Linux only).
GO-2026-4918 — net/http and golang.org/x/net: Infinite loop in HTTP/2 transport on bad SETTINGS_MAX_FRAME_SIZE. Fixed by upgrading Go 1.26.2 → 1.26.3 and golang.org/x/net v0.52.0 → v0.53.0.

1.15.2 (NES) - April 20, 2026

Container Image: registry.nes.herodevs.com/nes/ingress-nginx:v1.15.1-nes-1.15.2

Helm Chart: HeroDevs/ingress-nginx --version 0.0.2 (see Helm Charts)

Based on upstream ingress-nginx v1.15.1 Go version: 1.26.2 NGINX version: 1.27.1 (compiled from source on Alpine 3.23.3)

This release addresses multiple high-severity CVEs across the Go toolchain and Go module dependencies.

For upgrade instructions using the NES for Ingress NGINX Helm chart, see Helm Charts.

Go Toolchain

CVE-2026-32282 — (Medium, CVSS 6.4) — Root.Chmod follows symlinks outside root via TOCTOU race on Linux (internal/syscall/unix). Fixed by upgrading Go 1.26.1 → 1.26.2.

Go Module Dependencies

CVE-2024-44337 (Medium, CVSS 5.1) — github.com/gomarkdown/markdown: Infinite loop in paragraph parser causes denial-of-service. Bumped to patched version.
CVE-2026-35204 (High, CVSS 8.4) — helm.sh/helm/v4: Path traversal in plugin version field allows arbitrary file write (CWE-22). Upgraded helm v4.1.3 → v4.1.4.
CVE-2026-35205 (High, CVSS 8.4) — helm.sh/helm/v4: Missing .prov file check skips plugin signature verification, enabling arbitrary code execution (CWE-636). Upgraded helm v4.1.3 → v4.1.4.
CVE-2026-40890 (High, CVSS 7.5) — github.com/gomarkdown/markdown: Out-of-bounds read/panic in SmartypantsRenderer on malformed < input. Bumped to patched version.