Critical NGINX Vulnerabilities Patched by F5

Critical NGINX Vulnerabilities Patched by F5

Posted on By CWS

F5 has issued urgent security updates to address several vulnerabilities in NGINX, a widely used web server software. The updates released on Wednesday include patches for critical flaws that pose significant security risks.

Critical Vulnerabilities Discovered

The most alarming of these vulnerabilities are identified as CVE-2026-42530 and CVE-2026-42055, each with a CVSS score of 9.2. These bugs impact HTTP modules and could be exploited without authentication, leading to a use-after-free or a heap-based buffer overflow condition.

If these vulnerabilities are exploited, the NGINX worker process may restart, causing a denial-of-service (DoS) scenario. Moreover, in situations where Address Space Layout Randomization (ASLR) is disabled or circumvented, attackers could execute arbitrary code.

Updated Versions and Additional Fixes

In response, F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric, which rectify these critical issues. Additionally, the company has addressed two high-severity vulnerabilities, CVE-2026-11311 and CVE-2026-50107, specifically in the NGINX Gateway Fabric.

These high-severity flaws could enable authenticated attackers to inject arbitrary NGINX configuration directives, potentially exposing sensitive data, redirecting traffic to malicious endpoints, or causing a DoS condition by injecting problematic configurations.

Medium-Severity Issues and Security Recommendations

F5 also patched two medium-severity vulnerabilities that allowed remote attackers to either disclose memory contents or restart the NGINX worker process, both of which could result in a DoS condition.

While there are no current reports of these vulnerabilities being exploited in the wild, F5 emphasizes the importance of applying these patches promptly, as NGINX has been a recent target of cyber attacks.

For more detailed information, users are encouraged to review F5’s official security notification.

Conclusion and Future Implications

These updates underscore the necessity for organizations to remain vigilant and proactive in maintaining the security of their systems. As cyber threats evolve, timely application of security patches is crucial to safeguarding digital infrastructures.

Security Week News Tags:, , , , , , , , ,

Related Posts

CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA Security Week News
Follow Pragmatic Interventions to Keep Agentic AI in Check Follow Pragmatic Interventions to Keep Agentic AI in Check Security Week News
Iranian Hackers Implicated in LA Metro Cyberattack Iranian Hackers Implicated in LA Metro Cyberattack Security Week News
FTC Calls on Tech Firms to Resist Foreign Anti-Encryption Demands FTC Calls on Tech Firms to Resist Foreign Anti-Encryption Demands Security Week News
UK Hacker Admits to Crypto Theft in US Court UK Hacker Admits to Crypto Theft in US Court Security Week News
Novel 5G Attack Bypasses Need for Malicious Base Station Novel 5G Attack Bypasses Need for Malicious Base Station Security Week News