F5 Fixes Three NGINX Memory Flaws, Including Conditional Code Execution Risk


F5 has released security updates for three NGINX memory-safety vulnerabilities that can expose affected servers to denial-of-service attacks, limited memory disclosure or memory modification. The most serious flaw may also enable code execution under specific system conditions.

The vulnerabilities are tracked as CVE-2026-42533, CVE-2026-60005 and CVE-2026-56434. They affect NGINX Plus and NGINX Open Source when particular directives, modules and configuration combinations are present.

Administrators can address all three issues in NGINX Open Source by installing version 1.31.3 or 1.30.4. F5 published the fixes on July 15, 2026, and updated the official NGINX security advisories with the affected version ranges.

Three NGINX Vulnerabilities at a Glance

VulnerabilityAffected componentCVSS v3.1CVSS v4.0Potential impact
CVE-2026-42533map directive with regular expressions8.1 High9.2 CriticalWorker crash, heap buffer overflow and conditional code execution
CVE-2026-60005ngx_http_slice_module8.2 High8.8 HighLimited memory disclosure or worker restart
CVE-2026-56434ngx_http_ssi_module6.5 Medium8.3 HighLimited memory modification or worker restart

All three weaknesses affect the NGINX data plane rather than an administrative control plane. Their practical risk depends on whether the vulnerable modules and directives are enabled in a deployment.

F5 did not report confirmed exploitation when it published the advisories. Internet-facing NGINX systems should still be reviewed quickly because specially crafted traffic can reach vulnerable worker processes without an authenticated NGINX account.

CVE-2026-42533 Can Cause a Heap Buffer Overflow

CVE-2026-42533 is the most serious issue in the group. According to the F5 map directive advisory, the vulnerability can occur when a string expression references regular-expression capture variables before the output variable of a map block.

A remote, unauthenticated attacker can send a crafted HTTP request that triggers a heap buffer overflow in an NGINX worker process. A successful attack may restart the worker and interrupt requests being handled by that process.

F5 also warns of possible code execution when Address Space Layout Randomization is disabled or when an attacker finds a way to bypass it. This condition is important because the advisory does not describe code execution as an automatic result on every affected server.

Which NGINX Versions Are Vulnerable to CVE-2026-42533?

The upstream NGINX project classifies CVE-2026-42533 as a major-severity vulnerability. It lists NGINX Open Source versions 0.9.6 through 1.31.2 as vulnerable, with the stable 1.30.4 and mainline 1.31.3 releases identified as fixed.

For supported NGINX Plus branches, F5 lists 37.0.3.1 and R36 P7 as fixed releases. Administrators using older supported branches should consult the CVE-2026-42533 security advisory before selecting an upgrade package.

Organizations that cannot patch immediately can review affected map blocks and replace unnamed regular-expression captures with named captures. F5 recommends referencing those captures only inside the block containing the matching expression.

CVE-2026-60005 Exposes Uninitialized Worker Memory

CVE-2026-60005 affects the ngx_http_slice_module, which divides large responses into smaller subrequests that can be cached separately. The module is not compiled into NGINX by default and requires the --with-http_slice_module build option.

The F5 slice module advisory says the weakness may appear when the slice directive interacts with unnamed regular-expression captures. Background cache updates can also create a vulnerable condition.

An unauthenticated attacker may be able to expose a limited amount of uninitialized memory or force an NGINX worker process to restart. The issue is classified as memory disclosure rather than arbitrary code execution.

How to Assess CVE-2026-60005 Exposure

Administrators should first determine whether their NGINX binary includes the HTTP slice module. They should then search active configuration files for the slice directive, unnamed regular-expression captures and background cache-update settings.

Upstream NGINX lists versions 1.15.8 through 1.31.2 as vulnerable, subject to the required module and configuration conditions. Versions 1.30.4 and 1.31.3 contain the fix.

Named captures provide a temporary mitigation for affected regular-expression configurations, according to the CVE-2026-60005 advisory. An upgrade remains the preferred response because background cache behavior can also expose vulnerable deployments.

CVE-2026-56434 Requires Control of Upstream Responses

CVE-2026-56434 is a use-after-free weakness in the ngx_http_ssi_module. The vulnerable condition requires Server-Side Includes, the proxy_pass directive and proxy_buffering off to be used together.

Exploitation also requires an attacker with a man-in-the-middle position who can control or modify responses from an upstream server. The F5 SSI module advisory says the resulting use-after-free may allow limited memory modification or restart an NGINX worker.

This attack condition is narrower than a standard unauthenticated request sent directly to an exposed website. However, it remains important for environments that proxy traffic across untrusted networks or rely on upstream systems that could be compromised.

No Configuration Workaround for the SSI Flaw

F5 does not provide a mitigation that preserves the affected configuration for CVE-2026-56434. Organizations must install a fixed release or stop using the vulnerable combination of SSI and unbuffered proxying.

The upstream project lists NGINX Open Source versions 0.8.11 through 1.31.2 as vulnerable when the required configuration exists. The corrected releases are 1.30.4 and 1.31.3.

Administrators should follow the product-specific instructions in the CVE-2026-56434 security notice, especially when NGINX is embedded in another F5 product or distributed as part of a container image.

Affected NGINX Products and Update Paths

The vulnerable NGINX data-plane code is included in several commercial and cloud-native products. These include NGINX Plus, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, NGINX Gateway Fabric and NGINX Ingress Controller.

A product may be listed as affected even when the vulnerable feature is not active in every deployment. Administrators need to check both the installed software version and the generated NGINX configuration.

ProductUpdate guidance
NGINX Open SourceUpgrade to 1.31.3 mainline or 1.30.4 stable
NGINX Plus 37.xUpgrade to 37.0.3.1 or a later fixed build
NGINX Plus R33 to R36Use a supported patched release, including R36 P7 where applicable
NGINX Gateway FabricInstall the fixed package for the deployed branch, including 2.6.7 where applicable
NGINX Ingress ControllerInstall a fixed controller image for the active release or long-term support branch
Instance Manager and WAF productsFollow the F5 advisory table for the product-specific patched version

NGINX Open Source version numbers should not be applied directly to an appliance, controller or container product. Downstream products have separate release numbers and may require a new image, chart or managed package.

F5 Products Not Affected by These Three Flaws

F5 says BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS and F5 AI Gateway are not vulnerable to these three NGINX issues. The findings concern products that incorporate the affected NGINX data-plane components.

Security teams should avoid assuming that every product carrying the F5 name is exposed. Accurate asset inventory can prevent unnecessary emergency changes while directing attention to internet-facing NGINX servers and Kubernetes traffic controllers.

The consolidated NGINX vulnerability list provides the authoritative Open Source version ranges. F5โ€™s individual notices contain the commercial product and branch information.

Organizations should prioritize systems that accept untrusted HTTP traffic and use the vulnerable map, slice or SSI configurations. Container images and Kubernetes deployments should be checked separately from traditional server packages.

  • Upgrade NGINX Open Source to version 1.31.3 or 1.30.4.
  • Install the relevant fixed NGINX Plus release for each supported branch.
  • Replace affected NGINX Ingress Controller and Gateway Fabric container images.
  • Search configurations for map, slice, ssi, proxy_pass and proxy_buffering off.
  • Replace unnamed regular-expression captures with named captures where F5 recommends doing so.
  • Confirm whether NGINX was compiled with ngx_http_slice_module.
  • Review worker-process crashes, segmentation faults and unexpected restarts.
  • Verify that ASLR and other operating-system exploit protections remain enabled.
  • Test updated configurations before returning public-facing systems to production.

Worker restarts alone do not confirm exploitation because configuration errors, resource pressure and software faults can produce similar symptoms. Repeated crashes triggered by unusual requests should be preserved for forensic review.

FAQ

What NGINX versions fix CVE-2026-42533, CVE-2026-60005 and CVE-2026-56434?

NGINX Open Source users should upgrade to version 1.31.3 or 1.30.4, depending on their release branch. NGINX Plus and downstream F5 products require their own product-specific updates.

Can CVE-2026-42533 allow remote code execution?

F5 says code execution may be possible when ASLR is disabled or an attacker can bypass it. The flaw can also cause a heap buffer overflow and restart an NGINX worker process.

Is ngx_http_slice_module enabled by default?

The slice module is not built into NGINX Open Source by default. It must be included with the –with-http_slice_module build option and used in the active configuration for the relevant attack path.

Is there a workaround for the NGINX vulnerabilities?

Using named regex captures can reduce exposure to CVE-2026-42533 and CVE-2026-60005. F5 provides no configuration workaround for CVE-2026-56434, so affected systems must be patched.

Are BIG-IP and BIG-IQ affected by these NGINX flaws?

F5 does not list BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS or F5 AI Gateway as vulnerable to these three issues. Separately deployed NGINX software must still be checked and updated.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages