F5 has disclosed three security vulnerabilities affecting NGINX Plus and NGINX Open Source, including a critical heap buffer overflow that could allow unauthenticated attackers to execute arbitrary code under certain conditions.
The vulnerabilities were published on July 15, 2026 and impact several widely deployed NGINX-based products, including:
- NGINX Plus
- NGINX Open Source
- NGINX Ingress Controller
- NGINX Gateway Fabric
- NGINX App Protect WAF
- NGINX Instance Manager
Organizations running affected NGINX deployments should prioritize patching immediately.
CVE-2026-42533 — Heap Buffer Overflow (Critical)
CVSS v3.1: 8.1 (High)
CVSS v4.0: 9.2 (Critical)
The most severe vulnerability, CVE-2026-42533, is a heap buffer overflow affecting the NGINX map directive when regex capture variables are referenced before the map output variable.
An attacker can send specially crafted HTTP requests that trigger memory corruption within the NGINX worker process.
Potential Impact
- Service crash (DoS)
- Memory corruption
- Remote code execution (RCE)
F5 warns that code execution may be possible when:
- ASLR is disabled
- ASLR protections are bypassed
Mitigation
Use named regex captures instead of unnamed captures wherever possible.
Example:
# Safer approach
(?<user>.*)
# Avoid unnamed captures
(.*)
CVE-2026-60005 — Uninitialized Memory Disclosure
CVSS v3.1: 8.2
CVSS v4.0: 8.8
This vulnerability affects the:
ngx_http_slice_module
The module is not enabled by default and requires:
--with-http_slice_module
during compilation.
Impact
Attackers may:
- Access uninitialized memory
- Cause limited information disclosure
- Trigger worker process restarts
The issue occurs when:
slicedirectives are used- Unnamed regex captures are present
- Background cache updates occur
Mitigation
Replace unnamed regex captures with named captures.
CVE-2026-56434 — Use-After-Free
CVSS v3.1: 6.5
CVSS v4.0: 8.3
This vulnerability affects:
ngx_http_ssi_module
when used with:
proxy_pass
proxy_buffering off
and Server-Side Includes (SSI).
Impact
A man-in-the-middle attacker capable of manipulating upstream responses may trigger:
- Use-after-free conditions
- Worker process crashes
- Limited memory modification
Mitigation
There is currently no workaround.
Organizations must patch affected systems.
Affected Products
Vulnerable
NGINX Plus
37.x
Fixed in:
37.0.3.1
NGINX Open Source
Affected:
1.x
Fixed in:
1.31.3
1.30.4
Additional Affected Products
- NGINX Ingress Controller
- NGINX Gateway Fabric
- NGINX App Protect WAF
- NGINX Instance Manager
Some branches are still awaiting security updates.
Not Affected
The following F5 products are not vulnerable:
- BIG-IP
- BIG-IQ
- F5 Distributed Cloud
- F5OS
- F5 AI Gateway
The vulnerabilities are limited to NGINX data-plane components.
Why This Matters
NGINX remains one of the most widely deployed web servers and reverse proxies on the internet.
Because these vulnerabilities can be exploited remotely and without authentication, they present a significant risk to:
- Public-facing web applications
- Kubernetes ingress environments
- API gateways
- Reverse proxy infrastructure
- Cloud-native workloads
Of particular concern is CVE-2026-42533, which may enable remote code execution under favorable conditions.
Recommended Actions
Immediate Priorities
- Upgrade NGINX Plus to 37.0.3.1
- Upgrade NGINX Open Source to 1.31.3 or 1.30.4
- Review configurations using:
map- regex captures
ngx_http_slice_modulengx_http_ssi_module
Additional Recommendations
- Replace unnamed regex captures with named captures
- Audit ingress controllers and gateway deployments
- Monitor worker process crashes
- Review HTTP error logs for suspicious requests
Key Takeaway
F5's July 2026 security advisory addresses three significant vulnerabilities affecting NGINX, including a critical heap buffer overflow that could lead to remote code execution. Given NGINX's extensive use across enterprise, cloud, and Kubernetes environments, organizations should prioritize patching and review configurations that rely on regex captures, slice processing, or SSI functionality.