Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Home/CyberSecurity News/F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
CyberSecurity News

F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution

Key Takeaways F5 has issued critical patches for three high-severity vulnerabilities impacting NGINX Plus and NGINX Open Source. The most severe flaw, CVE-2026-42533, carries a CVSS v4.0 score of 9.2...

David kimber
David kimber
July 16, 2026 4 Min Read
3 0

Key Takeaways

  • F5 has issued critical patches for three high-severity vulnerabilities impacting NGINX Plus and NGINX Open Source.
  • The most severe flaw, CVE-2026-42533, carries a CVSS v4.0 score of 9.2 (Critical) and could lead to arbitrary code execution.
  • Affected products include NGINX Plus, NGINX Open Source, NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.
  • Unauthenticated attackers could exploit these flaws to trigger memory corruption, disclose sensitive data, or crash worker processes.
  • Immediate patching is strongly recommended, especially for deployments utilizing regex captures in map directives or the Server-Side Includes (SSI) module.

F5 Issues Critical Patches for NGINX Vulnerabilities, Including Code Execution Risk

F5 has disclosed and patched three significant vulnerabilities within its NGINX Plus and NGINX Open Source products. These security flaws, published on July 15, 2026, range in severity and could allow unauthenticated attackers to corrupt memory, crash worker processes, or, in the most critical scenario, achieve arbitrary code execution on vulnerable systems. The vulnerabilities impact a broad spectrum of NGINX components, including the Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.

Table Of Content

  • Key Takeaways
  • F5 Issues Critical Patches for NGINX Vulnerabilities, Including Code Execution Risk
  • CVE-2026-42533: Heap Buffer Overflow
  • CVE-2026-60005: Uninitialized Memory Disclosure
  • CVE-2026-56434: Use-After-Free
  • Affected Products and Fixes
  • What You Should Do

CVE-2026-42533: Heap Buffer Overflow

The most critical of the identified vulnerabilities, CVE-2026-42533: Heap Buffer Overflow, has been assigned a CVSS v3.1 score of 8.1 (High) and a CVSS v4.0 score of 9.2 (Critical). This heap buffer overflow (CWE-122) vulnerability arises from how the NGINX map directive processes regular expression matching. Specifically, it occurs when a string expression references capture variables before the map’s output variable. Attackers can exploit this by sending specially crafted HTTP requests, leading to a heap buffer overflow within the NGINX worker process.

F5 warns that while the immediate impact is a service crash, attackers could potentially achieve arbitrary code execution, particularly on systems where Address Space Layout Randomization (ASLR) is disabled or successfully bypassed. As an interim mitigation, F5 advises administrators to transition from unnamed regex captures to named regex captures in their configurations.

CVE-2026-60005: Uninitialized Memory Disclosure

Another significant flaw, CVE-2026-60005: Uninitialized Memory Disclosure, carries CVSS scores of 8.2 (v3.1) and 8.8 (v4.0). This vulnerability specifically affects the ngx_http_slice_module, which is not enabled by default and requires the --with-http_slice_module build flag to be active. When the slice directive is used in conjunction with unnamed regex captures, or during background cache update operations, attackers can access uninitialized memory. This could result in limited data leakage or trigger a worker process restart. Similar to the heap buffer overflow, using named regex captures is recommended as a mitigation strategy.

CVE-2026-56434: Use-After-Free

Rated with a CVSS v3.1 score of 6.5 (Medium) and a CVSS v4.0 score of 8.3 (High), CVE-2026-56434: Use-After-Free impacts the ngx_http_ssi_module. This vulnerability manifests when Server-Side Includes (SSI) are utilized alongside the proxy_pass directive and proxy_buffering off. A man-in-the-middle attacker, capable of controlling upstream responses, could exploit this use-after-free (CWE-416) condition. The potential consequences include limited memory modification or a crash of the NGINX worker process. For this particular vulnerability, F5 indicates that no mitigation exists beyond applying the available patches.

Affected Products and Fixes

All three vulnerabilities affect the following NGINX products:

  • NGINX Plus (37.x): Fixed in version 37.0.3.1.
  • NGINX Open Source (1.x): Fixed in versions 1.31.3 and 1.30.4.
  • NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager are also impacted, with patches being rolled out across their respective branches. Some branches may still be awaiting the release of their specific fixes.

It is important to note that other F5 products, including BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and F5 AI Gateway, are not susceptible to these issues, as the vulnerabilities are confined to NGINX’s data plane components.

Given NGINX’s pervasive role in internet infrastructure, these vulnerabilities, especially CVE-2026-42533 with its code execution potential, represent attractive targets for malicious actors. Organizations operating NGINX Plus, Ingress Controller, or Gateway Fabric deployments must prioritize immediate patching, particularly if their configurations involve map directives with regex captures or the SSI module.

F5 acknowledged the contributions of more than a dozen independent researchers, including teams from AntAISecurityLab, EVO.company, and Vodafone Türkiye, for their responsible disclosure of CVE-2026-42533. CVE-2026-60005 was identified internally by F5, while researcher p4p3r reported CVE-2026-56434.

What You Should Do

  • Immediately Patch: Apply the latest NGINX Plus (37.0.3.1) and NGINX Open Source (1.31.3 / 1.30.4) updates. Monitor and apply patches for NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager as they become available for your specific branches.
  • Review Configurations: Audit your NGINX configurations for the use of map directives with unnamed regex captures and the ngx_http_ssi_module in conjunction with proxy_pass and proxy_buffering off.
  • Implement Mitigations: Where immediate patching is not feasible, switch from unnamed regex captures to named regex captures in your map and slice directives to mitigate CVE-2026-42533 and CVE-2026-60005.
  • Disable ASLR Bypass: Ensure Address Space Layout Randomization (ASLR) is enabled and properly configured on your systems to make exploitation of CVE-2026-42533 more difficult.
  • Stay Informed: Regularly check F5’s security advisories and NGINX release notes for further updates and guidance.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurity

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
US Charges Two Bulletproof Hosting Firms for Aiding Cybercrime
July 15, 2026
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us