F5 Patches High-Severity NGINX Vulnerabilities That Could Lead to Code Execution

The CyberSec Guru

F5 Patches High-Severity NGINX Vulnerabilities

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

F5 has released security updates for three high-severity vulnerabilities affecting both NGINX Plus and NGINX Open Source, urging organizations to update their deployments as soon as possible.

The flaws impact several widely deployed NGINX-based products, including NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager. Depending on the vulnerability, a successful attack could allow an unauthenticated attacker to disclose memory, crash worker processes, corrupt memory, or potentially execute arbitrary code.

The vulnerabilities were disclosed on July 15, 2026, and while there is no indication of active exploitation at the time of writing, administrators should treat these issues as high priority because of NGINX’s widespread use in web infrastructure.

Nginx Logo
Nginx Logo

Overview of the Vulnerabilities

F5 addressed three separate vulnerabilities, each affecting different parts of the NGINX codebase.

CVE-2026-42533: Heap Buffer Overflow With Potential Code Execution

The most severe vulnerability is CVE-2026-42533. It has been assigned a CVSS v3.1 score of 8.1 (High) and a CVSS v4.0 score of 9.2 (Critical).

The issue exists in the way the map directive processes regular expression matches. Under specific conditions, if a configuration references unnamed regex capture variables before the map’s output variable, an attacker can send a specially crafted HTTP request that triggers a heap buffer overflow inside an NGINX worker process.

In many environments, exploitation would likely result in a worker process crash or denial of service. However, F5 notes that systems where Address Space Layout Randomization (ASLR) is disabled or successfully bypassed may be vulnerable to arbitrary code execution.

As a temporary mitigation, administrators can replace unnamed regular expression captures with named regex captures until patches are applied.

CVE-2026-60005: Uninitialized Memory Disclosure

The second vulnerability, CVE-2026-60005, affects the ngx_http_slice_module, which is not enabled by default and must be compiled using the --with-http_slice_module build option.

The flaw can expose uninitialized memory when the slice directive is combined with unnamed regex captures or during background cache updates.

Successful exploitation may allow an attacker to obtain limited portions of memory or cause an NGINX worker process to restart unexpectedly.

Like the previous issue, F5 recommends replacing unnamed regex captures with named captures where possible until systems are updated.

CVE-2026-56434: Use-After-Free Vulnerability

The third issue, CVE-2026-56434, is a use-after-free vulnerability affecting the ngx_http_ssi_module.

The flaw occurs when Server-Side Includes (SSI) are used together with proxy_pass while proxy_buffering is disabled.

Unlike the other two vulnerabilities, exploitation requires a man-in-the-middle attacker capable of manipulating responses from an upstream server. If successfully exploited, the vulnerability could cause limited memory corruption or crash the affected worker process.

F5 has stated that there is no practical workaround for this issue, making patching the only effective solution.

Affected Products

The vulnerabilities affect multiple NGINX-based products across both commercial and open-source editions.

Affected products include:

  • NGINX Plus
  • NGINX Open Source
  • NGINX Ingress Controller
  • NGINX Gateway Fabric
  • NGINX App Protect WAF
  • NGINX Instance Manager

The fixes are available in the following versions:

ProductFixed Version
NGINX Plus 37.x37.0.3.1
NGINX Open Source 1.x1.31.3 / 1.30.4

Updates for supported versions of Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager are being released according to their individual maintenance branches.

F5 also confirmed that the following products are not affected:

  • BIG-IP
  • BIG-IQ
  • F5 Distributed Cloud
  • F5OS
  • F5 AI Gateway

Why This Matters

NGINX remains one of the most widely deployed web servers and reverse proxies on the internet, powering everything from enterprise applications and APIs to Kubernetes ingress deployments and cloud-native services.

Because of its extensive adoption, vulnerabilities affecting the NGINX request processing pipeline often attract significant attention from attackers. Among the three newly disclosed issues, CVE-2026-42533 deserves particular attention due to its potential for remote code execution under certain conditions.

Even when code execution is not achievable, memory corruption and worker process crashes can still be used to disrupt services or create opportunities for further attacks.

What Administrators Should Do

Organizations running affected versions should prioritize installing the latest security updates.

Until patching is complete, administrators should also:

  • Review configurations using the map directive together with regular expression captures.
  • Replace unnamed regex captures with named captures where practical.
  • Determine whether the ngx_http_slice_module is enabled.
  • Identify deployments using SSI with proxy_pass and proxy_buffering off.
  • Monitor NGINX worker processes for unexpected crashes or abnormal behavior.

While temporary mitigations may reduce exposure for some configurations, they do not eliminate the underlying vulnerabilities.

Responsible Disclosure

F5 credited more than a dozen independent security researchers for responsibly reporting CVE-2026-42533, including contributors from AntAISecurityLab, EVO.company, and Vodafone Türkiye.

The CVE-2026-60005 vulnerability was discovered internally by F5, while CVE-2026-56434 was reported by security researcher p4p3r.

Final Thoughts

These vulnerabilities highlight how seemingly small implementation issues in core web infrastructure can have significant security implications. Given NGINX’s role in modern application delivery, organizations should not delay applying the available updates.

Administrators responsible for internet-facing NGINX deployments, Kubernetes ingress environments, or F5’s NGINX-based products should review their installations immediately and upgrade to the latest patched releases to minimize the risk of disruption or exploitation.

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

News

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading