Unpacking CVE-2026-9142: Pre-Authentication

CVE-2026-9142 is a critical pre-authentication vulnerability affecting the AetherGate Edge Proxy (versions 4.2.0 through 4.5.1) that allows for remote code execution (RCE) by exploiting an integer underflow in the HTTP/2 frame processing engine. The flaw resides in the handling of CONTINUATION frames when they are used to transport fragmented header blocks that exceed the internal buffer allocation but fall short of the maximum frame size limit. Because this vulnerability is triggered during the initial header parsing phase, an attacker can achieve code execution before the proxy performs any credential validation or session checks, making it a high-priority threat for organizations utilizing AetherGate for load balancing or SSL termination.

Root Cause Analysis: Integer Underflow in Frame Assembly

The technical core of CVE-2026-9142 lies in the ag_http2_parse_headers function within the AetherGate core binary. This function is responsible for reassembling header fragments across multiple HTTP/2 frames. When a HEADERS frame (Type 0x01) is received without the END_HEADERS flag (0x04) set, the proxy expects a sequence of CONTINUATION frames (Type 0x09) to follow. The vulnerability is triggered by a logic error in how the proxy calculates the remaining buffer space for these incoming fragments. Specifically, the code utilizes a signed 32-bit integer to track the bytes_remaining in the pre-allocated header heap. By sending a HEADERS frame with a specifically calculated payload size followed by a CONTINUATION frame that claims a larger payload than the physical TCP packet contains, an attacker can force the bytes_remaining variable to underflow.

// Simplified representation of the vulnerable logic in ag_http2_parse_headers.c
int32_t bytes_remaining = stream->header_buffer_size - stream->header_buffer_offset;
uint32_t incoming_payload_len = frame->payload_length;

if (incoming_payload_len > bytes_remaining) {
    // Attempting to resize or error out, but the check is bypassed
    // if bytes_remaining has already underflowed to a large positive value
    if (expand_header_buffer(stream, incoming_payload_len) != AG_OK) {
        return AG_ERROR;
    }
}

// Memory corruption occurs here
memcpy(stream->header_buffer + stream->header_buffer_offset, frame->payload, incoming_payload_len);
stream->header_buffer_offset += incoming_payload_len;

When bytes_remaining underflows, it wraps around to a massive positive value. The subsequent memcpy operation then proceeds without sufficient bounds checking, leading to a heap-based buffer overflow. This allows the attacker to overwrite adjacent memory structures, including function pointers in the stream object or the connection context, eventually redirecting execution flow to an attacker-controlled shellcode or a ROP (Return-Oriented Programming) chain. This is fundamentally different from standard broken authentication issues, as the failure occurs in the transport layer parsing rather than the identity logic.

Protocol Mechanics: Exploiting the HTTP/2 State Machine

HTTP/2 is a binary protocol, making it significantly more complex to parse than HTTP/1.1. In CVE-2026-9142, the attacker must strictly adhere to the HTTP/2 state machine to reach the vulnerable code path. The proxy must believe it is in the open or half-closed (remote) state for the specific stream ID. The exploit begins with a standard HTTP/2 connection preface (PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n) followed by a SETTINGS frame. Once the connection is established, the attacker initiates a stream with a HEADERS frame. To maximize the likelihood of a successful heap spray, attackers often use multiple streams in parallel. The critical component is the CONTINUATION frame. According to RFC 9113, a CONTINUATION frame must follow a HEADERS, PUSH_PROMISE, or another CONTINUATION frame that does not have the END_HEADERS flag set. If any other frame type is received in between, the proxy must treat this as a connection error of type PROTOCOL_ERROR. However, CVE-2026-9142 exploits the fact that the proxy processes the length field of the CONTINUATION frame before it validates the transition state of the HPACK decoder.

HPACK Compression and Memory Pressure

The vulnerability is exacerbated by HPACK, the compression format for HTTP/2 headers. An attacker can use highly compressed headers to fill the initial buffer allocated by AetherGate. When the CONTINUATION frame arrives, the decompression of the dynamic table entries happens simultaneously with the memory allocation check. By providing a CONTINUATION frame that references a large number of entries in the HPACK dynamic table, the attacker can force the proxy to allocate a large buffer, which is then susceptible to the underflow-driven memcpy.

Exploitation Vector and Payload Delivery

To weaponize CVE-2026-9142, the attacker typically utilizes a custom script to bypass standard client limitations. Tools like h2load or nghttp are often insufficient for precise frame manipulation required for this exploit. Researchers often turn to libraries like Scapy or custom Go-based frame injectors to maintain fine-grained control over the frame flags and payload lengths. A typical exploit sequence involves:

• Establishing a TLS connection to the target AetherGate instance.
• Sending a SETTINGS frame to disable server-side flow control (if possible) to prevent stream throttling.
• Sending a HEADERS frame for Stream ID 1 with a payload that fills the buffer to within 4 bytes of its limit.
• Sending a CONTINUATION frame with a payload_length field set to 0xFFFF, but only providing 1024 bytes of actual data.
• The underflow occurs, and the subsequent memcpy overwrites the stream_ops structure.

Similar to the techniques discussed in the analysis of exploiting CVE-2026-0300: Unauthenticated RCE, the goal is to gain control over the instruction pointer (EIP/RIP). In modern Linux environments where AetherGate is typically deployed, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP/NX) are active. Therefore, the payload must include a ROP chain designed to bypass these protections, likely targeting mprotect() to make a region of memory executable or executing execve() directly.

Example Exploit Skeleton (Python/Scapy)

from scapy.all import *
from scapy.layers.http2 import H2Frame, H2HeadersFrame, H2ContinuationFrame

# Target configuration
target_ip = "192.168.1.100"
target_port = 443

# Construct the initial HEADERS frame to prime the buffer
headers_payload = "A" * 8188  # Just below the default 8KB buffer
prime_frame = H2Frame(flags=0x0)/H2HeadersFrame(hdrs=headers_payload)

# Construct the malicious CONTINUATION frame
# The length in the H2Frame header will be manipulated to trigger the underflow
malicious_payload = b"B" * 2048 + rop_chain 
overflow_frame = H2Frame(len=0xFFFF, type=0x09, flags=0x04)/malicious_payload

# Send frames over a TLS-wrapped socket
# (Socket setup and TLS handshake omitted for brevity)
sock.send(bytes(prime_frame))
sock.send(bytes(overflow_frame))

Detection and Identification of Vulnerable Assets

Identifying exposure to CVE-2026-9142 is a critical step for security teams. Because the vulnerability is pre-authentication, it is highly visible to internet-wide scanning. Attackers use services like Zondex to find AetherGate instances by fingerprinting the unique HTTP/2 SETTINGS frame defaults and the Server header strings. For internal security teams, traditional vulnerability scanners may fail to detect this flaw unless they have specific modules for HTTP/2 frame testing. Effective detection requires a combination of version checking and active probing. Organizations can use the Secably EASM API to automate the discovery of exposed AetherGate versions across their entire digital footprint.

Affected Versions and Signatures

Component	Vulnerable Versions	Fix Version	Risk Level
AetherGate Core	4.2.0 - 4.4.9	4.5.2	Critical (9.8)
AetherGate Enterprise	4.5.0 - 4.5.1	4.5.2-E	Critical (9.8)
AetherGate OpenSource	< 4.2.0	N/A (Not Affected)	Low

Detection via network traffic analysis (NTA) or Intrusion Detection Systems (IDS) is possible by looking for anomalous CONTINUATION frame patterns. A sequence of CONTINUATION frames that do not terminate with END_HEADERS or frames that claim a length significantly larger than the encapsulated data are strong indicators of an exploitation attempt.

Comparison with Concurrent Vulnerabilities

The year 2026 has seen a cluster of high-impact pre-authentication vulnerabilities. While CVE-2026-9142 targets the edge proxy, others like CVE-2026-6102 target the underlying transport protocols. However, the complexity of HTTP/2 makes CVE-2026-9142 particularly dangerous because many WAFs (Web Application Firewalls) do not fully inspect the binary frame layer, instead opting to terminate TLS and inspect the reassembled HTTP/1.1-like stream. If the WAF itself uses a vulnerable version of the AetherGate library for its HTTP/2 ingestion, the security layer itself becomes the entry point. This vulnerability shares some architectural similarities with the "Rapid Reset" attacks of previous years, but instead of a Denial of Service (DoS), the integer underflow provides a path to full system compromise. Using tools like GProxy to route research traffic can help analysts safely probe these vulnerabilities without exposing their primary research infrastructure to potential counter-exploits or automated blacklisting by edge-protection services.

Mitigation and Remediation Strategies

The primary remediation for CVE-2026-9142 is an immediate upgrade to AetherGate version 4.5.2 or later. The patch introduces a strict validation check for bytes_remaining and switches the variable type to size_t to prevent negative underflow logic. Additionally, the patch implements a maximum aggregate header size limit that is enforced before memory is allocated for CONTINUATION fragments. For environments where an immediate patch is not feasible, the following tactical mitigations should be considered:

• Disable HTTP/2: If the application performance requirements allow, disabling HTTP/2 support on the edge proxy will completely close the attack vector, as the vulnerability is specific to the H2 frame parsing logic.
• Limit Header Size: Implement a strict max_header_list_size in the AetherGate configuration. While the vulnerability occurs during parsing, setting this to a lower value (e.g., 4KB) can trigger an earlier rejection of the malicious frames in some configurations.
• Deep Packet Inspection: Configure upstream firewalls to drop HTTP/2 CONTINUATION frames that exceed 16KB, which is the default maximum frame size for many implementations and often much larger than legitimate fragments.
• EASM Monitoring: Continuously monitor the attack surface using Secably to ensure that no shadow IT or forgotten dev instances are running vulnerable versions of the proxy software.

In terms of configuration-based hardening, administrators should audit their ag.conf for the following parameters:

# Temporary mitigation: Reduce max header size to prevent large allocations
http2_max_header_size 4k;

# Disable HTTP/2 on critical listeners if patching is delayed
# listen 443 ssl; # instead of: listen 443 ssl http2;

Implementing these changes requires a restart of the AetherGate service. It is also recommended to review system logs for SIGSEGV errors in the AetherGate process, which may indicate failed exploit attempts or "crash-testing" by attackers performing reconnaissance. Since this is a heap-based overflow, failed attempts will frequently result in a process crash rather than a silent failure, providing a clear signal to SOC (Security Operations Center) teams. Organizations should also cross-reference their exposure with other recent disclosures, such as the cPanel authentication bypass (CVE-2026-4194), to ensure that their entire edge stack is resilient against the current wave of pre-authentication threats.