[BUG] CVE-2026-42055. When will there be 1.30.3+ or 1.31.2+ part of this image?

[godfuture]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Current swag images have nginx releases 1.28.x included which are effected by CVE-2026-42055. It takes at least nginx 1.30.3+ or 1.31.2+ to fix the issue.

Expected Behavior

swag images are being updated with nginx versions fixing CVE-2026-42055.

Steps To Reproduce

1. Create swag container
2. Execute nginx -v inside container

Environment

CPU architecture

x86-64

Docker creation

image: lscr.io/linuxserver/swag:latest

Container logs

nginx version: nginx/1.28.3

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

It's up to alpine, and they usually patch rather than update

[godfuture]

It's up to alpine, and they usually patch rather than update

I dont understand what release is being installed in underlying alpine nginx image:
https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/3.22/Dockerfile#L15

It notes only nginx. Why the release version is missing? Or is determined by baseimage-alpine:3.22?

[Roxedus]

Latter.

[thespad]

Alpine will not make a major version change to nginx within an existing release, they will backport the security fix to 1.28 and when they do it will trigger a new build of the base image, which will then trigger a new build of the swag image.

[j0nnymoe]

It's up to alpine, and they usually patch rather than update

I dont understand what release is being installed in underlying alpine nginx image: https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/3.22/Dockerfile#L15

It notes only nginx. Why the release version is missing? Or is determined by baseimage-alpine:3.22?

As a side note, you can see the versions for everything in the container here: https://github.com/linuxserver/docker-swag/blob/master/package_versions.txt

[C0nw0nk]

defaults nginx config values make swag nginx not vulnerable to this unless you have put those nginx config values in place.

The ignore_invalid_headers directive is set to off (default is on)

The large_client_header_buffers directive is configured with a per-buffer size large enough to accept multi-megabyte header lines (default of 4 buffers of 8K each blocks the attack)

You can test via https://www.ssllabs.com/ssltest/analyze.html?d=linuxserver.io&s=178.62.84.203

The test will check if your domain is exposed to certain CVE exploits HTTP3/QUIC etc.

[C0nw0nk]

Also inline with other info you can check.

CVE-2026-42530 - Disable HTTP/3
CVE-2026-42055 - Remove the ignore_invalid_headers off directive from the configuration, or reduce the large_client_header_buffers directive size below 2 MB

https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

Theres a few good sources on this but it should be expressed that by default ignore_invalid_headers on; is on and this really does impact only those running custom nginx configurations where they are not using default/recommended values.