F5 Patches Over 50 Vulnerabilities Across BIG-IP, BIG-IQ, and NGINX
F5 has released patches for over 50 vulnerabilities across its BIG-IP, BIG-IQ, and NGINX products, including 19 high-severity flaws, with the most critical being a heap buffer overflow in NGINX's rewrite module.
F5 on Wednesday announced fixes for over 50 vulnerabilities spanning its BIG-IP, BIG-IQ, and NGINX product lines. The batch includes 19 high-severity and 32 medium-severity flaws, addressing issues that could lead to denial-of-service, remote code execution, privilege escalation, and information disclosure. No in-the-wild exploitation has been reported for any of the vulnerabilities.
The most severe vulnerability is CVE-2026-42945, a heap buffer overflow in NGINX's ngx_http_rewrite_module with a CVSS v4.0 score of 9.2. An unauthenticated attacker can trigger a denial-of-service condition by sending crafted HTTP requests under specific conditions. If Address Space Layout Randomization (ASLR) is disabled, the flaw could be exploited for code execution. This vulnerability is particularly concerning given NGINX's widespread use as a web server and reverse proxy.
Another high-severity issue, CVE-2026-41225 (CVSS 8.6), affects iControl REST and allows authenticated attackers with at least Manager permissions to create configuration objects, leading to command execution. F5 notes that this is a control plane issue with no data plane exposure, but it could allow privilege escalation or bypass of Appliance mode restrictions in certain deployments.
Additional high-severity remote code execution vulnerabilities include CVE-2026-41957, CVE-2026-34176, and CVE-2026-39459, all requiring authentication. Other high-severity flaws could lead to restriction bypass, arbitrary file tampering, or denial-of-service by causing the Traffic Management Microkernel (TMM) to terminate. The medium-severity issues cover a range of impacts including security protection bypass, privilege escalation, information disclosure, arbitrary system command execution, DoS conditions, code injection, and arbitrary local file tampering.
F5 has provided patches and workarounds in its quarterly security notification. Administrators are urged to apply the updates promptly to mitigate risks. The company also recommends disabling ASLR only when absolutely necessary, as it increases exposure to code execution attacks.
This patch batch underscores the ongoing challenge of securing complex network infrastructure. With no active exploitation reported, organizations have a window to patch before adversaries develop exploits. The inclusion of NGINX vulnerabilities highlights the importance of securing not just application delivery controllers but also the underlying web server software.