Critical NGINX Vulnerabilities Patched by F5

Critical NGINX Vulnerabilities Patched by F5

Posted on By CWS

F5 has issued urgent security updates to address several vulnerabilities in NGINX, a widely used web server software. The updates released on Wednesday include patches for critical flaws that pose significant security risks.

Critical Vulnerabilities Discovered

The most alarming of these vulnerabilities are identified as CVE-2026-42530 and CVE-2026-42055, each with a CVSS score of 9.2. These bugs impact HTTP modules and could be exploited without authentication, leading to a use-after-free or a heap-based buffer overflow condition.

If these vulnerabilities are exploited, the NGINX worker process may restart, causing a denial-of-service (DoS) scenario. Moreover, in situations where Address Space Layout Randomization (ASLR) is disabled or circumvented, attackers could execute arbitrary code.

Updated Versions and Additional Fixes

In response, F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric, which rectify these critical issues. Additionally, the company has addressed two high-severity vulnerabilities, CVE-2026-11311 and CVE-2026-50107, specifically in the NGINX Gateway Fabric.

These high-severity flaws could enable authenticated attackers to inject arbitrary NGINX configuration directives, potentially exposing sensitive data, redirecting traffic to malicious endpoints, or causing a DoS condition by injecting problematic configurations.

Medium-Severity Issues and Security Recommendations

F5 also patched two medium-severity vulnerabilities that allowed remote attackers to either disclose memory contents or restart the NGINX worker process, both of which could result in a DoS condition.

While there are no current reports of these vulnerabilities being exploited in the wild, F5 emphasizes the importance of applying these patches promptly, as NGINX has been a recent target of cyber attacks.

For more detailed information, users are encouraged to review F5’s official security notification.

Conclusion and Future Implications

These updates underscore the necessity for organizations to remain vigilant and proactive in maintaining the security of their systems. As cyber threats evolve, timely application of security patches is crucial to safeguarding digital infrastructures.

Security Week News Tags:, , , , , , , , ,

Related Posts

Over 100 Organizations Targeted in ShinyHunters Phishing Campaign Over 100 Organizations Targeted in ShinyHunters Phishing Campaign Security Week News
Beyond GenAI: Why Agentic AI Was the Real Conversation at RSA 2025 Beyond GenAI: Why Agentic AI Was the Real Conversation at RSA 2025 Security Week News
Ongoing Campaign Uses 60 NPM Packages to Steal Data Ongoing Campaign Uses 60 NPM Packages to Steal Data Security Week News
Hackers Win 0,000 on First Day of Pwn2Own Berlin 2025 Hackers Win $260,000 on First Day of Pwn2Own Berlin 2025 Security Week News
Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities Security Week News
Pixnapping Attack Steals Data From Google, Samsung Android Phones Pixnapping Attack Steals Data From Google, Samsung Android Phones Security Week News