392/69 Friday, July 17, 2026

F5 has released an out-of-band security update to address eight vulnerabilities in its NGINX and BIG-IP products. The most severe vulnerability is CVE-2026-42533, which has a CVSS score of 9.2 and is rated Critical. It affects NGINX Plus and NGINX Open Source. Attackers could send specially crafted HTTP requests to trigger a heap buffer overflow, causing the NGINX worker process to restart.
F5 stated that CVE-2026-42533 is related to cases where the Map Directive uses regex matching and a string expression references a regex capture variable from the map before referencing the map output variable. Under certain conditions, it may also occur when a non-cacheable variable is used in a string expression. Attackers can exploit this vulnerability without authentication, but only under specific conditions that are not controlled by the attacker. If Address Space Layout Randomization (ASLR) is disabled on the system, attackers may be able to escalate the impact to code execution.
The patch also fixes several High-severity vulnerabilities in NGINX, including flaws in the ngx_http_slice_module and ngx_http_ssi_module modules that could be exploited without authentication. These vulnerabilities could allow attackers to disclose information from memory, restart the NGINX worker process, or trigger a use-after-free condition to modify memory. In addition, F5 fixed a High-severity vulnerability in NGINX Ingress Controller that could allow authenticated attackers to inject NGINX configuration commands to delete files, disable services, or create and modify Ingress or TransportServer resources, leading to Denial-of-Service (DoS). F5 also fixed a High-severity vulnerability in BIG-IP that could allow remote unauthenticated attackers to increase memory resource usage when an HTTP/2 profile is configured on a virtual server, potentially causing DoS. At the time of reporting, F5 had not stated that any of these vulnerabilities had been exploited in attacks.
Source: https://www.securityweek.com/f5-patches-multiple-nginx-big-ip-vulnerabilities/
