diff --git a/nginx-1.26.3-CVE-2026-42055.patch b/nginx-1.26.3-CVE-2026-42055.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fc79fb8267264b580abf11e44c32692ee2e55c74
--- /dev/null
+++ b/nginx-1.26.3-CVE-2026-42055.patch
@@ -0,0 +1,99 @@
+From 131be8514da8985b15b74150521afedbf9cc4ea3 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Tue, 2 Jun 2026 19:37:17 +0400
+Subject: [PATCH] Upstream: limit header length for HTTP/2 and gRPC
+
+The change applies the HTTP/2 header length limits to avoid buffer
+overflow.  See 58a7bc3406ac for details.
+
+Reported by Mufeed VH of Winfunc Research.
+
+Adapted-by: PkgAgent/deepseek-v4 (modified to adapt to opencloudos-stream)
+
+---
+ src/http/modules/ngx_http_grpc_module.c |   44 +++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
+index e7726f3..98ba8a9 100644
+--- a/src/http/modules/ngx_http_grpc_module.c
++++ b/src/http/modules/ngx_http_grpc_module.c
+@@ -740,6 +740,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+         tmp_len = 0;
+ 
+     } else {
++        if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 method: \"%V\"", &r->method_name);
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len;
+         tmp_len = r->method_name.len;
+     }
+@@ -760,6 +766,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+         uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len;
+     }
+ 
++    if (uri_len > NGX_HTTP_V2_MAX_FIELD) {
++        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                      "too long http2 URI");
++        return NGX_ERROR;
++    }
++
+     len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len;
+ 
+     if (tmp_len < uri_len) {
+@@ -769,6 +781,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+     /* :authority header */
+ 
+     if (!glcf->host_set) {
++        if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 host: \"%V\"", &ctx->host);
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len;
+ 
+         if (tmp_len < ctx->host.len) {
+@@ -799,6 +817,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+             continue;
+         }
+ 
++        if (key_len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 header name");
++            return NGX_ERROR;
++        }
++
++        if (val_len > NGX_HTTP_V2_MAX_FIELD) {
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "too long http2 header value");
++            return NGX_ERROR;
++        }
++
+         len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len
+                  + NGX_HTTP_V2_INT_OCTETS + val_len;
+ 
+@@ -833,6 +863,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
+                 continue;
+             }
+ 
++            if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) {
++                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                              "too long http2 header name: \"%V\"",
++                              &header[i].key);
++                return NGX_ERROR;
++            }
++
++            if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) {
++                ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                              "too long http2 header value: \"%V: %V\"",
++                              &header[i].key, &header[i].value);
++                return NGX_ERROR;
++            }
++
+             len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len
+                      + NGX_HTTP_V2_INT_OCTETS + header[i].value.len;
+ 
diff --git a/nginx.spec b/nginx.spec
index 48c0c3df5521aa85a3ba8e3991767a3d38f0d9be..c7d1b69e12445895237dd40d32843f59334e1db4 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -27,7 +27,7 @@
 
 Name:              nginx
 Version:           1.26.3
-Release:           7%{?dist}
+Release:           8%{?dist}
 Summary:           A high performance web server and reverse proxy server
 License:           BSD
 URL:               https://nginx.org
@@ -65,6 +65,7 @@ Patch0009:          nginx-1.26.3-CVE-2026-42945.patch
 Patch0010:          nginx-1.26.3-CVE-2026-9256.patch
 Patch0011:          nginx-1.26.3-CVE-2026-40701.patch
 Patch0012:          nginx-1.26.3-HTTP2-Bomb.patch
+Patch0013:          nginx-1.26.3-CVE-2026-42055.patch
 
 BuildRequires:     make, gcc
 BuildRequires:     openssl-devel, pcre2-devel, zlib-devel, systemd
@@ -550,6 +551,10 @@ fi
 
 
 %changelog
+* Mon Jun 22 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 1.26.3-8
+- [Type] security
+- [DESC] Fix CVE-2026-42055: limit HTTP/2 and gRPC header length to prevent heap buffer overflow
+
 * Thu Jun 04 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 1.26.3-7
 - [Type] security
 - [DESC] Fix HTTP/2 Bomb: added max_headers directive to limit request headers count