F5 Fixes Three NGINX Memory Flaws, Including Conditional Code Execution Risk
F5 has released security updates for three NGINX memory-safety vulnerabilities that can expose affected servers to denial-of-service attacks, limited memory disclosure or memory modification. The most serious flaw may also enable code execution under specific system conditions.
The vulnerabilities are tracked as CVE-2026-42533, CVE-2026-60005 and CVE-2026-56434. They affect NGINX Plus and NGINX Open Source when particular directives, modules and configuration combinations are present.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Administrators can address all three issues in NGINX Open Source by installing version 1.31.3 or 1.30.4. F5 published the fixes on July 15, 2026, and updated the official NGINX security advisories with the affected version ranges.
Three NGINX Vulnerabilities at a Glance
| Vulnerability | Affected component | CVSS v3.1 | CVSS v4.0 | Potential impact |
|---|---|---|---|---|
| CVE-2026-42533 | map directive with regular expressions | 8.1 High | 9.2 Critical | Worker crash, heap buffer overflow and conditional code execution |
| CVE-2026-60005 | ngx_http_slice_module | 8.2 High | 8.8 High | Limited memory disclosure or worker restart |
| CVE-2026-56434 | ngx_http_ssi_module | 6.5 Medium | 8.3 High | Limited memory modification or worker restart |
All three weaknesses affect the NGINX data plane rather than an administrative control plane. Their practical risk depends on whether the vulnerable modules and directives are enabled in a deployment.
F5 did not report confirmed exploitation when it published the advisories. Internet-facing NGINX systems should still be reviewed quickly because specially crafted traffic can reach vulnerable worker processes without an authenticated NGINX account.
CVE-2026-42533 Can Cause a Heap Buffer Overflow
CVE-2026-42533 is the most serious issue in the group. According to the F5 map directive advisory, the vulnerability can occur when a string expression references regular-expression capture variables before the output variable of a map block.
A remote, unauthenticated attacker can send a crafted HTTP request that triggers a heap buffer overflow in an NGINX worker process. A successful attack may restart the worker and interrupt requests being handled by that process.
F5 also warns of possible code execution when Address Space Layout Randomization is disabled or when an attacker finds a way to bypass it. This condition is important because the advisory does not describe code execution as an automatic result on every affected server.
Which NGINX Versions Are Vulnerable to CVE-2026-42533?
The upstream NGINX project classifies CVE-2026-42533 as a major-severity vulnerability. It lists NGINX Open Source versions 0.9.6 through 1.31.2 as vulnerable, with the stable 1.30.4 and mainline 1.31.3 releases identified as fixed.
For supported NGINX Plus branches, F5 lists 37.0.3.1 and R36 P7 as fixed releases. Administrators using older supported branches should consult the CVE-2026-42533 security advisory before selecting an upgrade package.
Organizations that cannot patch immediately can review affected map blocks and replace unnamed regular-expression captures with named captures. F5 recommends referencing those captures only inside the block containing the matching expression.
CVE-2026-60005 Exposes Uninitialized Worker Memory
CVE-2026-60005 affects the ngx_http_slice_module, which divides large responses into smaller subrequests that can be cached separately. The module is not compiled into NGINX by default and requires the --with-http_slice_module build option.
The F5 slice module advisory says the weakness may appear when the slice directive interacts with unnamed regular-expression captures. Background cache updates can also create a vulnerable condition.
An unauthenticated attacker may be able to expose a limited amount of uninitialized memory or force an NGINX worker process to restart. The issue is classified as memory disclosure rather than arbitrary code execution.
How to Assess CVE-2026-60005 Exposure
Administrators should first determine whether their NGINX binary includes the HTTP slice module. They should then search active configuration files for the slice directive, unnamed regular-expression captures and background cache-update settings.
Upstream NGINX lists versions 1.15.8 through 1.31.2 as vulnerable, subject to the required module and configuration conditions. Versions 1.30.4 and 1.31.3 contain the fix.
Named captures provide a temporary mitigation for affected regular-expression configurations, according to the CVE-2026-60005 advisory. An upgrade remains the preferred response because background cache behavior can also expose vulnerable deployments.
CVE-2026-56434 Requires Control of Upstream Responses
CVE-2026-56434 is a use-after-free weakness in the ngx_http_ssi_module. The vulnerable condition requires Server-Side Includes, the proxy_pass directive and proxy_buffering off to be used together.
Exploitation also requires an attacker with a man-in-the-middle position who can control or modify responses from an upstream server. The F5 SSI module advisory says the resulting use-after-free may allow limited memory modification or restart an NGINX worker.
This attack condition is narrower than a standard unauthenticated request sent directly to an exposed website. However, it remains important for environments that proxy traffic across untrusted networks or rely on upstream systems that could be compromised.
No Configuration Workaround for the SSI Flaw
F5 does not provide a mitigation that preserves the affected configuration for CVE-2026-56434. Organizations must install a fixed release or stop using the vulnerable combination of SSI and unbuffered proxying.
The upstream project lists NGINX Open Source versions 0.8.11 through 1.31.2 as vulnerable when the required configuration exists. The corrected releases are 1.30.4 and 1.31.3.
Administrators should follow the product-specific instructions in the CVE-2026-56434 security notice, especially when NGINX is embedded in another F5 product or distributed as part of a container image.
Affected NGINX Products and Update Paths
The vulnerable NGINX data-plane code is included in several commercial and cloud-native products. These include NGINX Plus, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, NGINX Gateway Fabric and NGINX Ingress Controller.
A product may be listed as affected even when the vulnerable feature is not active in every deployment. Administrators need to check both the installed software version and the generated NGINX configuration.
| Product | Update guidance |
|---|---|
| NGINX Open Source | Upgrade to 1.31.3 mainline or 1.30.4 stable |
| NGINX Plus 37.x | Upgrade to 37.0.3.1 or a later fixed build |
| NGINX Plus R33 to R36 | Use a supported patched release, including R36 P7 where applicable |
| NGINX Gateway Fabric | Install the fixed package for the deployed branch, including 2.6.7 where applicable |
| NGINX Ingress Controller | Install a fixed controller image for the active release or long-term support branch |
| Instance Manager and WAF products | Follow the F5 advisory table for the product-specific patched version |
NGINX Open Source version numbers should not be applied directly to an appliance, controller or container product. Downstream products have separate release numbers and may require a new image, chart or managed package.
F5 Products Not Affected by These Three Flaws
F5 says BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS and F5 AI Gateway are not vulnerable to these three NGINX issues. The findings concern products that incorporate the affected NGINX data-plane components.
Security teams should avoid assuming that every product carrying the F5 name is exposed. Accurate asset inventory can prevent unnecessary emergency changes while directing attention to internet-facing NGINX servers and Kubernetes traffic controllers.
The consolidated NGINX vulnerability list provides the authoritative Open Source version ranges. F5โs individual notices contain the commercial product and branch information.
Recommended Actions for NGINX Administrators
Organizations should prioritize systems that accept untrusted HTTP traffic and use the vulnerable map, slice or SSI configurations. Container images and Kubernetes deployments should be checked separately from traditional server packages.
- Upgrade NGINX Open Source to version 1.31.3 or 1.30.4.
- Install the relevant fixed NGINX Plus release for each supported branch.
- Replace affected NGINX Ingress Controller and Gateway Fabric container images.
- Search configurations for
map,slice,ssi,proxy_passandproxy_buffering off. - Replace unnamed regular-expression captures with named captures where F5 recommends doing so.
- Confirm whether NGINX was compiled with
ngx_http_slice_module. - Review worker-process crashes, segmentation faults and unexpected restarts.
- Verify that ASLR and other operating-system exploit protections remain enabled.
- Test updated configurations before returning public-facing systems to production.
Worker restarts alone do not confirm exploitation because configuration errors, resource pressure and software faults can produce similar symptoms. Repeated crashes triggered by unusual requests should be preserved for forensic review.
FAQ
NGINX Open Source users should upgrade to version 1.31.3 or 1.30.4, depending on their release branch. NGINX Plus and downstream F5 products require their own product-specific updates.
F5 says code execution may be possible when ASLR is disabled or an attacker can bypass it. The flaw can also cause a heap buffer overflow and restart an NGINX worker process.
The slice module is not built into NGINX Open Source by default. It must be included with the –with-http_slice_module build option and used in the active configuration for the relevant attack path.
Using named regex captures can reduce exposure to CVE-2026-42533 and CVE-2026-60005. F5 provides no configuration workaround for CVE-2026-56434, so affected systems must be patched.
F5 does not list BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS or F5 AI Gateway as vulnerable to these three issues. Separately deployed NGINX software must still be checked and updated.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages