F5 Networks has announced the resolution of three significant vulnerabilities impacting NGINX Plus and NGINX Open Source. These flaws, if exploited, could lead to memory corruption, crashes, or even arbitrary code execution by unauthorized users.
Details of the Vulnerabilities
The vulnerabilities, disclosed on July 15, 2026, pertain to critical NGINX components such as the Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager. Each of these elements is widely integrated into numerous internet-facing infrastructures, highlighting the urgency for remediation.
Among the vulnerabilities, CVE-2026-42533 stands out due to its critical nature. It has received a CVSS v3.1 score of 8.1, escalating to 9.2 under CVSS v4.0. The issue arises from improper handling of regex matches within map directives, potentially causing a heap buffer overflow (CWE-122). This flaw can be exploited by sending crafted HTTP requests, leading to code execution if ASLR is bypassed.
Technical Implications and Mitigations
Another vulnerability, CVE-2026-60005, affects the ngx_http_slice_module, with scores of 8.2 and 8.8 under different CVSS versions. This flaw exposes uninitialized memory when unnamed regex captures are used, risking data leakage or system restarts. Mitigation involves using named captures to prevent such exploits.
CVE-2026-56434, rated Medium/High, involves a use-after-free vulnerability within the ngx_http_ssi_module. This issue can arise when Server-Side Includes are combined with proxy configurations, enabling attackers to cause limited memory modifications or crashes. The primary solution is to apply the available patches.
Impact on NGINX Products
These vulnerabilities affect multiple NGINX products, including NGINX Plus versions up to 37.x and NGINX Open Source up to 1.31.3 / 1.30.4. Affected products like the NGINX Ingress Controller and Gateway Fabric are receiving updates, although some branches await patches.
Importantly, other F5 products such as BIG-IP and F5 Distributed Cloud are not susceptible to these issues. Organizations utilizing the impacted NGINX components should prioritize updates, especially those using map directives or the SSI module.
F5 has acknowledged contributions from independent researchers and internal teams for identifying these vulnerabilities. The swift patching underscores the critical nature of maintaining updated security measures to protect against potential cyber threats.
NGINX’s prominence in web infrastructure makes these vulnerabilities particularly attractive to attackers. Ensuring timely patching of these components is essential to safeguarding network integrity.
