Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
F5 Addresses Critical NGINX and BIG-IP Security Flaws

F5 Addresses Critical NGINX and BIG-IP Security Flaws

Posted on July 16, 2026 By CWS

On Wednesday, F5 Networks released an out-of-band security update addressing eight vulnerabilities in their NGINX and BIG-IP products. The update, which targets multiple security flaws, aims to enhance system protection and prevent potential exploitation.

Critical NGINX Vulnerability Details

Among the vulnerabilities, the most critical is identified as CVE-2026-42533, with a CVSS score of 9.2. This flaw in NGINX Plus and NGINX Open Source could be exploited by malicious actors through crafted HTTP requests, potentially causing a heap buffer overflow and restarting the NGINX worker process.

F5 has detailed that the vulnerability arises when a map directive utilizes regex matching alongside a string expression that references the map’s regex capture variables before the map output variable. This condition can also occur by employing a non-cacheable variable within a string expression under certain scenarios.

Exploitation Without Authentication

Notably, attackers can exploit this defect without needing authentication, though certain conditions must be present that are beyond the attacker’s control. For systems where Address Space Layout Randomization (ASLR) is disabled, the vulnerability could enable code execution, posing significant security risks.

The security patches also address several high-severity vulnerabilities in NGINX modules, such as the ngx_http_slice_module and ngx_http_ssi_module, which do not require authentication for exploitation. These vulnerabilities could lead to memory content leakage, process restarts, or use-after-free conditions, allowing memory modification or process restarts.

Additional Vulnerabilities in NGINX Ingress Controller and BIG-IP

Furthermore, F5’s update includes fixes for two high-severity vulnerabilities in the NGINX Ingress Controller. These could enable authenticated attackers to inject arbitrary NGINX configuration directives, potentially leading to file deletions, service disruptions, or denial-of-service (DoS) conditions by manipulating Ingress or TransportServer resources.

Another significant vulnerability addressed in the BIG-IP system involves increased memory resource utilization when an HTTP/2 profile is configured on a virtual server. This flaw could be exploited remotely and without authentication, leading to a DoS condition.

F5 has not reported any incidents of these vulnerabilities being actively exploited in real-world scenarios. For more detailed information, F5 has published an out-of-band security notification on their official website.

For related security updates, various companies such as Trend Micro, Tanium, ESET, and Tenable have also recently patched severe product vulnerabilities. Additionally, major updates have been released by other firms including Fortinet, Ivanti, ServiceNow, Siemens, Schneider, and Rockwell.

Security Week News Tags:Authentication, BIG-IP, CVE, Cybersecurity, Exploitation, F5, heap buffer overflow, NGINX, security patch, Vulnerabilities

Post navigation

Previous Post: Zoom Resolves Critical Windows Vulnerability
Next Post: Critical Zoom Vulnerability on Windows Requires Urgent Update

Related Posts

China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years Security Week News
Organizations Warned of Exploited PaperCut Flaw Organizations Warned of Exploited PaperCut Flaw Security Week News
Myanmar Military Shuts Down Major Cybercrime Center and Detains Over 2,000 People Myanmar Military Shuts Down Major Cybercrime Center and Detains Over 2,000 People Security Week News
Adobe Patches Critical Apache Tika Bug in ColdFusion Adobe Patches Critical Apache Tika Bug in ColdFusion Security Week News
Lumma Stealer Malware Returns After Takedown Attempt Lumma Stealer Malware Returns After Takedown Attempt Security Week News
Data Breach at Doctors Imaging Group Impacts 171,000 People Data Breach at Doctors Imaging Group Impacts 171,000 People Security Week News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Zoom Vulnerability on Windows Requires Urgent Update
  • F5 Addresses Critical NGINX and BIG-IP Security Flaws
  • Zoom Resolves Critical Windows Vulnerability
  • TuxBot v3 Botnet Threatens IoT Devices Globally
  • China’s Military Tightens Cybersecurity Vendor Restrictions

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Zoom Vulnerability on Windows Requires Urgent Update
  • F5 Addresses Critical NGINX and BIG-IP Security Flaws
  • Zoom Resolves Critical Windows Vulnerability
  • TuxBot v3 Botnet Threatens IoT Devices Globally
  • China’s Military Tightens Cybersecurity Vendor Restrictions

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark