F5 has disclosed three high-severity vulnerabilities affecting NGINX Plus and NGINX Open Source, warning that unauthenticated attackers could exploit them to trigger memory corruption, crash worker processes, or, in the worst case, execute arbitrary code.
The vulnerabilities, published on July 15, 2026, affect widely used NGINX components, including the Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.
CVE-2026-42533: Heap Buffer Overflow
The most serious of the three, CVE-2026-42533, carries a CVSS v3.1 score of 8.1 (High) and a CVSS v4.0 score of 9.2 (Critical). It stems from how the map directive handles regex matching when a string expression references capture variables before the map’s output variable. An attacker can send crafted HTTP requests to trigger a heap buffer overflow (CWE-122) in the NGINX worker process.
Beyond crashing the service, F5 warns attackers could achieve code execution on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed. F5 recommends switching to named regex captures instead of unnamed ones as a mitigation.
CVE-2026-60005: Uninitialized Memory Disclosure
This flaw (CVSS 8.2/8.8) affects the ngx_http_slice_module, which isn’t enabled by default and requires the –with-http_slice_module build flag.
When the slice directive is paired with unnamed regex captures, or during background cache updates, attackers can access uninitialized memory, causing limited data leakage or a worker restart. Mitigation again involves using named captures.
CVE-2026-56434: Use-After-Free
Rated Medium/High (6.5 CVSS v3.1, 8.3 CVSS v4.0), this bug affects the ngx_http_ssi_module when Server-Side Includes are used alongside proxy_pass and proxy_buffering off.
A man-in-the-middle attacker controlling upstream responses could trigger a use-after-free (CWE-416), leading to limited memory modification or a crash. No mitigation exists beyond patching.
All three vulnerabilities affect the same range of products:
NGINX Plus (37.x): fixed in 37.0.3.1
NGINX Open Source (1.x): fixed in 1.31.3 / 1.30.4
NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager are also affected, with fixes rolling out per branch (some branches still awaiting patches)
Notably, BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and F5 AI Gateway are not vulnerable; the issues are confined to NGINX’s data plane components.
NGINX powers a massive share of internet-facing infrastructure, making these flaws attractive targets for opportunistic attackers, especially CVE-2026-42533 given its code-execution potential.
Organizations running affected NGINX Plus, Ingress Controller, or Gateway Fabric deployments should prioritize patching immediately, particularly if map directives with regex captures, or the SSI module are in active use.
F5 credited over a dozen independent researchers — including teams from AntAISecurityLab, EVO.company, and Vodafone Türkiye — for responsibly disclosing CVE-2026-42533, while CVE-2026-60005 was found internally and CVE-2026-56434 was reported by researcher p4p3r.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post F5 Patches Multiple NGINX Vulnerabilities Enabling Heap Buffer Overflow and Code Execution Attacks appeared first on Cyber Security News.



