F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP.
The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process.
“A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains.
An attacker can exploit the security defect without authentication, but only under conditions they cannot control. On systems with Address Space Layout Randomization (ASLR) disabled, the attacker can achieve code execution.
F5’s patches also resolve several high-severity NGINX bugs, including weaknesses in the ngx_http_slice_module module and the ngx_http_ssi_module module that can be exploited without authentication.
Successful exploitation of the flaws allows attackers to leak memory contents, restart the NGINX worker process, or cause a use-after-free in the NGINX worker process to modify memory or restart the process.
Two high-severity vulnerabilities addressed in NGINX Ingress Controller could allow authenticated attackers to inject arbitrary NGINX configuration directives to delete files and disable services, or create or modify Ingress or TransportServer resources to cause a denial-of-service (DoS) condition.
F5 also resolved a high-severity security defect in BIG-IP that could be exploited by remote, unauthenticated attackers to increase memory resource utilization when an HTTP/2 profile is configured on a virtual server, causing a DoS condition.
F5 makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s out-of-band security notification.
Related: Trend Micro, Tanium, ESET, and Tenable Patch Severe Product Vulnerabilities
Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell
Related: Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates