On Wednesday, F5 Networks released an out-of-band security update addressing eight vulnerabilities in their NGINX and BIG-IP products. The update, which targets multiple security flaws, aims to enhance system protection and prevent potential exploitation.
Critical NGINX Vulnerability Details
Among the vulnerabilities, the most critical is identified as CVE-2026-42533, with a CVSS score of 9.2. This flaw in NGINX Plus and NGINX Open Source could be exploited by malicious actors through crafted HTTP requests, potentially causing a heap buffer overflow and restarting the NGINX worker process.
F5 has detailed that the vulnerability arises when a map directive utilizes regex matching alongside a string expression that references the map’s regex capture variables before the map output variable. This condition can also occur by employing a non-cacheable variable within a string expression under certain scenarios.
Exploitation Without Authentication
Notably, attackers can exploit this defect without needing authentication, though certain conditions must be present that are beyond the attacker’s control. For systems where Address Space Layout Randomization (ASLR) is disabled, the vulnerability could enable code execution, posing significant security risks.
The security patches also address several high-severity vulnerabilities in NGINX modules, such as the ngx_http_slice_module and ngx_http_ssi_module, which do not require authentication for exploitation. These vulnerabilities could lead to memory content leakage, process restarts, or use-after-free conditions, allowing memory modification or process restarts.
Additional Vulnerabilities in NGINX Ingress Controller and BIG-IP
Furthermore, F5’s update includes fixes for two high-severity vulnerabilities in the NGINX Ingress Controller. These could enable authenticated attackers to inject arbitrary NGINX configuration directives, potentially leading to file deletions, service disruptions, or denial-of-service (DoS) conditions by manipulating Ingress or TransportServer resources.
Another significant vulnerability addressed in the BIG-IP system involves increased memory resource utilization when an HTTP/2 profile is configured on a virtual server. This flaw could be exploited remotely and without authentication, leading to a DoS condition.
F5 has not reported any incidents of these vulnerabilities being actively exploited in real-world scenarios. For more detailed information, F5 has published an out-of-band security notification on their official website.
For related security updates, various companies such as Trend Micro, Tanium, ESET, and Tenable have also recently patched severe product vulnerabilities. Additionally, major updates have been released by other firms including Fortinet, Ivanti, ServiceNow, Siemens, Schneider, and Rockwell.
