VYPR
patchPublished Jul 16, 2026· 1 source

F5 Patches Three Critical NGINX Vulnerabilities, Including Heap Overflow and Code Execution Flaws

F5 has released patches for three high-severity vulnerabilities in NGINX Plus and Open Source, with one flaw potentially allowing unauthenticated attackers to execute arbitrary code.

F5 has announced the release of patches for three significant vulnerabilities affecting its NGINX Plus and NGINX Open Source products. These flaws, disclosed on July 15, 2026, pose risks ranging from denial-of-service to arbitrary code execution, with one critical vulnerability carrying a CVSS v4.0 score of 9.2.

The most severe of the vulnerabilities, CVE-2026-42533, is a heap buffer overflow flaw. It arises from the way the map directive handles regular expression matching when a string expression references capture variables before the map's output variable. Attackers can exploit this by sending specially crafted HTTP requests, leading to a heap buffer overflow within the NGINX worker process. While this can cause service crashes, F5 warns that it could also lead to arbitrary code execution on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.

To mitigate CVE-2026-42533 without patching, F5 recommends switching to named regex captures instead of unnamed ones in the map directive. This change addresses the root cause of the overflow by altering how capture variables are handled.

Another vulnerability, CVE-2026-60005, affects the ngx_http_slice_module. This module is not enabled by default and requires specific build flags. When the slice directive is used in conjunction with unnamed regex captures or during background cache updates, attackers can trigger an uninitialized memory disclosure. This could lead to limited data leakage or a worker process restart. Similar to the first vulnerability, using named captures is recommended as a mitigation strategy.

The third vulnerability, CVE-2026-56434, is a use-after-free flaw impacting the ngx_http_ssi_module. This issue occurs when Server-Side Includes (SSI) are used alongside proxy_pass with proxy_buffering disabled. A man-in-the-middle attacker who can control upstream responses could exploit this to trigger a use-after-free condition, potentially leading to limited memory modification or a service crash. For this vulnerability, patching is the only available mitigation.

These vulnerabilities affect various NGINX components, including NGINX Plus (versions prior to 37.0.3.1), NGINX Open Source (versions prior to 1.31.3 or 1.30.4), and related products like the Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager. While some branches of these related products are still awaiting patches, F5 has confirmed that core products like BIG-IP, BIG-IQ, and F5 Distributed Cloud are not vulnerable.

Given NGINX's widespread use in internet-facing infrastructure, these vulnerabilities, particularly CVE-2026-42533 due to its code execution potential, represent a significant risk. Organizations utilizing affected NGINX deployments are strongly advised to prioritize applying the available patches to protect their systems from exploitation.

Synthesized by Vypr AI