264/69 Friday, May 15, 2026
F5 has released security updates addressing more than 50 vulnerabilities across its BIG-IP, BIG-IQ, and NGINX products. The advisory includes 19 High-severity vulnerabilities and 32 Medium-severity issues. Several of the flaws could potentially be exploited to achieve privilege escalation, remote command execution, or denial-of-service (DoS) conditions if systems remain unpatched.
The most severe vulnerability is CVE-2026-42945, affecting the ngx_http_rewrite_module component in NGINX. The flaw could allow an unauthenticated attacker to send specially crafted HTTP requests that, under certain conditions, may trigger a heap buffer overflow. Successful exploitation could cause service restarts or denial-of-service conditions, and in environments where Address Space Layout Randomization (ASLR) is disabled, the vulnerability could potentially lead to remote code execution.
F5 also addressed several other significant vulnerabilities, including CVE-2026-41225 in iControl REST, which could allow an authenticated attacker with at least Manager-level privileges to create malicious configuration objects that may lead to command execution. Additional High-severity vulnerabilities affecting BIG-IP include CVE-2026-41957, CVE-2026-34176, and CVE-2026-39459, which involve remote code execution and command injection scenarios that require authentication. At this time, there have been no reports of these vulnerabilities being actively exploited in the wild.
Source https://www.securityweek.com/f5-patches-over-50-vulnerabilities/