F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
Key Takeaways F5 has issued critical patches for three high-severity vulnerabilities impacting NGINX Plus and NGINX Open Source. The most severe flaw, CVE-2026-42533, carries a CVSS v4.0 score of 9.2...
Key Takeaways
- F5 has issued critical patches for three high-severity vulnerabilities impacting NGINX Plus and NGINX Open Source.
- The most severe flaw, CVE-2026-42533, carries a CVSS v4.0 score of 9.2 (Critical) and could lead to arbitrary code execution.
- Affected products include NGINX Plus, NGINX Open Source, NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.
- Unauthenticated attackers could exploit these flaws to trigger memory corruption, disclose sensitive data, or crash worker processes.
- Immediate patching is strongly recommended, especially for deployments utilizing regex captures in
mapdirectives or the Server-Side Includes (SSI) module.
F5 Issues Critical Patches for NGINX Vulnerabilities, Including Code Execution Risk
F5 has disclosed and patched three significant vulnerabilities within its NGINX Plus and NGINX Open Source products. These security flaws, published on July 15, 2026, range in severity and could allow unauthenticated attackers to corrupt memory, crash worker processes, or, in the most critical scenario, achieve arbitrary code execution on vulnerable systems. The vulnerabilities impact a broad spectrum of NGINX components, including the Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.
Table Of Content
CVE-2026-42533: Heap Buffer Overflow
The most critical of the identified vulnerabilities, CVE-2026-42533: Heap Buffer Overflow, has been assigned a CVSS v3.1 score of 8.1 (High) and a CVSS v4.0 score of 9.2 (Critical). This heap buffer overflow (CWE-122) vulnerability arises from how the NGINX map directive processes regular expression matching. Specifically, it occurs when a string expression references capture variables before the map’s output variable. Attackers can exploit this by sending specially crafted HTTP requests, leading to a heap buffer overflow within the NGINX worker process.
F5 warns that while the immediate impact is a service crash, attackers could potentially achieve arbitrary code execution, particularly on systems where Address Space Layout Randomization (ASLR) is disabled or successfully bypassed. As an interim mitigation, F5 advises administrators to transition from unnamed regex captures to named regex captures in their configurations.
CVE-2026-60005: Uninitialized Memory Disclosure
Another significant flaw, CVE-2026-60005: Uninitialized Memory Disclosure, carries CVSS scores of 8.2 (v3.1) and 8.8 (v4.0). This vulnerability specifically affects the ngx_http_slice_module, which is not enabled by default and requires the --with-http_slice_module build flag to be active. When the slice directive is used in conjunction with unnamed regex captures, or during background cache update operations, attackers can access uninitialized memory. This could result in limited data leakage or trigger a worker process restart. Similar to the heap buffer overflow, using named regex captures is recommended as a mitigation strategy.
CVE-2026-56434: Use-After-Free
Rated with a CVSS v3.1 score of 6.5 (Medium) and a CVSS v4.0 score of 8.3 (High), CVE-2026-56434: Use-After-Free impacts the ngx_http_ssi_module. This vulnerability manifests when Server-Side Includes (SSI) are utilized alongside the proxy_pass directive and proxy_buffering off. A man-in-the-middle attacker, capable of controlling upstream responses, could exploit this use-after-free (CWE-416) condition. The potential consequences include limited memory modification or a crash of the NGINX worker process. For this particular vulnerability, F5 indicates that no mitigation exists beyond applying the available patches.
Affected Products and Fixes
All three vulnerabilities affect the following NGINX products:
- NGINX Plus (37.x): Fixed in version 37.0.3.1.
- NGINX Open Source (1.x): Fixed in versions 1.31.3 and 1.30.4.
- NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager are also impacted, with patches being rolled out across their respective branches. Some branches may still be awaiting the release of their specific fixes.
It is important to note that other F5 products, including BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and F5 AI Gateway, are not susceptible to these issues, as the vulnerabilities are confined to NGINX’s data plane components.
Given NGINX’s pervasive role in internet infrastructure, these vulnerabilities, especially CVE-2026-42533 with its code execution potential, represent attractive targets for malicious actors. Organizations operating NGINX Plus, Ingress Controller, or Gateway Fabric deployments must prioritize immediate patching, particularly if their configurations involve map directives with regex captures or the SSI module.
F5 acknowledged the contributions of more than a dozen independent researchers, including teams from AntAISecurityLab, EVO.company, and Vodafone Türkiye, for their responsible disclosure of CVE-2026-42533. CVE-2026-60005 was identified internally by F5, while researcher p4p3r reported CVE-2026-56434.
What You Should Do
- Immediately Patch: Apply the latest NGINX Plus (37.0.3.1) and NGINX Open Source (1.31.3 / 1.30.4) updates. Monitor and apply patches for NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager as they become available for your specific branches.
- Review Configurations: Audit your NGINX configurations for the use of
mapdirectives with unnamed regex captures and thengx_http_ssi_modulein conjunction withproxy_passandproxy_buffering off. - Implement Mitigations: Where immediate patching is not feasible, switch from unnamed regex captures to named regex captures in your
mapandslicedirectives to mitigate CVE-2026-42533 and CVE-2026-60005. - Disable ASLR Bypass: Ensure Address Space Layout Randomization (ASLR) is enabled and properly configured on your systems to make exploitation of CVE-2026-42533 more difficult.
- Stay Informed: Regularly check F5’s security advisories and NGINX release notes for further updates and guidance.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.