TL;DR
F5 has patched three memory safety flaws in NGINX Plus and NGINX Open Source. The most severe, CVE-2026-42533, is an NGINX code execution vulnerability in the map directive. It scores 9.2 (Critical) on CVSS v4.0, and fixed releases are available now.
- Product: F5 NGINX Plus
- Vulnerabilities: 3 flaws (CVE-2026-42533, CVE-2026-56434, CVE-2026-60005)
- Highest severity: 9.2 (Critical · CVSSv4)
- Worst impact: NGINX Map directive and Regex matching
- Status: No confirmed exploitation yet; patches available
- Action: Update to 37.0.3.1, R36 P7, 1.31.3, 1.30.4 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-60005 | 8.2 | NGINX ngx_http_slice_module | 37.0.3.1, R36 P7, 1.31.3 (+1) | Not exploited |
| CVE-2026-42533 | 8.1 | NGINX Map directive and Regex matching | 37.0.3.1, R36 P7, 1.31.3 (+1) | Not exploited |
| CVE-2026-56434 | 6.5 | NGINX ngx_http_ssi_module | 37.0.3.1, R36 P7, 1.31.3 (+1) | Not exploited |
Why It Matters
NGINX sits in front of a large share of the world’s web traffic. All three flaws live in the data plane, so unauthenticated attackers can reach them with crafted HTTP requests. Moreover, the bugs extend into downstream products such as NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF, and NGINX Instance Manager. F5 has not confirmed in-the-wild exploitation or a public proof-of-concept for any of the three issues.
How the Attacks Work
CVE-2026-42533: Heap Overflow in the Map Directive
This flaw appears when a map directive uses regex matching and a string expression references the map’s regex capture variables before the map output variable. A non-cacheable variable in a string expression can produce the same result under certain conditions. According to F5’s related advisory set and the dedicated K000162097 advisory, crafted requests can then trigger a heap buffer overflow in the worker process. The crash typically forces a worker restart. However, attackers can achieve NGINX code execution when ASLR is disabled or bypassed.
CVE-2026-60005: Uninitialized Memory in the Slice Module
The second flaw sits in ngx_http_slice_module, which is off by default. It surfaces when the slice directive runs with unnamed regex captures, or when a background cache update occurs. Unauthenticated attackers can trigger uninitialized memory access in the worker process. As a result, limited memory disclosure or a restart may follow. F5 rates it High, at 8.8 on CVSS v4.0.
CVE-2026-56434: Use-After-Free in the SSI Module
The third bug requires Server-Side Includes, proxy_pass, and proxy_buffering off in combination. An attacker with man-in-the-middle control over upstream responses can cause a use-after-free in the worker process. Consequently, limited memory modification or a restart becomes possible, per advisory K000162098. This one scores 8.3 (High) on CVSS v4.0.
Affected Versions
NGINX Open Source 1.31.2 and 1.30.0 through 1.30.3 are vulnerable to all three CVEs. NGINX Plus 37.0.0.1 through 37.0.2.1 and releases R33 through R36 are affected as well. In addition, F5 lists NGINX Instance Manager 2.17.0 to 2.22.1, F5 WAF for NGINX 5.9.0 to 5.13.3, NGINX App Protect WAF 4.x and 5.x, NGINX Gateway Fabric 1.x and 2.x, and several NGINX Ingress Controller branches. Other NGINX products remain unaffected, according to the vendor.
Patches and Mitigation
Upgrade NGINX Open Source to 1.31.3 or 1.30.4. NGINX Plus users should move to 37.0.3.1 or R36 P7. Fixes also landed in NGINX Gateway Fabric 2.6.7 and NGINX Ingress Controller 5.5.3 or 2026-lts-r4. If you cannot patch immediately, F5 recommends configuration changes instead. Replace unnamed regex captures with named captures, and reference them only inside the block that holds the regex match. That single step blunts both the NGINX code execution flaw and the slice module bug while you schedule upgrades.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.