F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
F5 patches eight vulnerabilities in NGINX and BIG-IP, including critical heap overflow flaw CVE-2026-42533.
Summary
F5 released an out-of-band security update addressing eight vulnerabilities across NGINX Plus, NGINX Open Source, NGINX Ingress Controller, and BIG-IP. The most critical flaw is CVE-2026-42533 (CVSS 9.2), a heap buffer overflow in NGINX that can lead to code execution on systems with ASLR disabled. Additional high-severity issues include memory leaks, process crashes, and authenticated configuration injection attacks, though F5 reports no active exploitation in the wild.
Full text
F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP. The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process. “A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains. An attacker can exploit the security defect without authentication, but only under conditions they cannot control. On systems with Address Space Layout Randomization (ASLR) disabled, the attacker can achieve code execution. F5’s patches also resolve several high-severity NGINX bugs, including weaknesses in the ngx_http_slice_module module and the ngx_http_ssi_module module that can be exploited without authentication. Successful exploitation of the flaws allows attackers to leak memory contents, restart the NGINX worker process, or cause a use-after-free in the NGINX worker process to modify memory or restart the process.Advertisement. Scroll to continue reading. Two high-severity vulnerabilities addressed in NGINX Ingress Controller could allow authenticated attackers to inject arbitrary NGINX configuration directives to delete files and disable services, or create or modify Ingress or TransportServer resources to cause a denial-of-service (DoS) condition. F5 also resolved a high-severity security defect in BIG-IP that could be exploited by remote, unauthenticated attackers to increase memory resource utilization when an HTTP/2 profile is configured on a virtual server, causing a DoS condition. F5 makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s out-of-band security notification. Related: Trend Micro, Tanium, ESET, and Tenable Patch Severe Product Vulnerabilities Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell Related: Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Vulnerabilities Patched by Fortinet, Ivanti, ServiceNowProgress Confirms Zero-Day Vulnerability Behind ShareFile DisruptionCritical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 UpdatesMicrosoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-DaysAdobe Patches Critical ColdFusion VulnerabilitiesSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudUS, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersMultiple Jscrambler Packages Impacted by Supply Chain Attack Latest News China’s Top Cybersecurity Firms Hit by Mounting Military Procurement BansOld UEFI Shims Expose Systems to Secure Boot BypassNightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day Trend Micro, Tanium, ESET and Tenable Patch Severe Product VulnerabilitiesUnpatched Cursor Vulnerability Exposes Users to Code ExecutionCISA Urges Immediate Patching of Exploited SharePoint VulnerabilitiesWindows Bind Link Attacks Can Hide Malware From EDR ToolsVirtual Event Today: Cloud & Data Security Summit Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveN-able has appointed Russell Rosa as Chief Revenue Officer.Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.F5 has appointed Cathy Peterman as Chief People Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-42533