F5 has disclosed three security vulnerabilities affecting NGINX Plus and NGINX Open Source, including a critical heap buffer overflow that could allow unauthenticated attackers to execute arbitrary code under certain conditions.

The vulnerabilities were published on July 15, 2026 and impact several widely deployed NGINX-based products, including:

  • NGINX Plus
  • NGINX Open Source
  • NGINX Ingress Controller
  • NGINX Gateway Fabric
  • NGINX App Protect WAF
  • NGINX Instance Manager

Organizations running affected NGINX deployments should prioritize patching immediately.

CVE-2026-42533 — Heap Buffer Overflow (Critical)

CVSS v3.1: 8.1 (High)
CVSS v4.0: 9.2 (Critical)

The most severe vulnerability, CVE-2026-42533, is a heap buffer overflow affecting the NGINX map directive when regex capture variables are referenced before the map output variable.

An attacker can send specially crafted HTTP requests that trigger memory corruption within the NGINX worker process.

Potential Impact

  • Service crash (DoS)
  • Memory corruption
  • Remote code execution (RCE)

F5 warns that code execution may be possible when:

  • ASLR is disabled
  • ASLR protections are bypassed

Mitigation

Use named regex captures instead of unnamed captures wherever possible.

Example:

# Safer approach
(?<user>.*)

# Avoid unnamed captures
(.*)

CVE-2026-60005 — Uninitialized Memory Disclosure

CVSS v3.1: 8.2
CVSS v4.0: 8.8

This vulnerability affects the:

ngx_http_slice_module

The module is not enabled by default and requires:

--with-http_slice_module

during compilation.

Impact

Attackers may:

  • Access uninitialized memory
  • Cause limited information disclosure
  • Trigger worker process restarts

The issue occurs when:

  • slice directives are used
  • Unnamed regex captures are present
  • Background cache updates occur

Mitigation

Replace unnamed regex captures with named captures.

CVE-2026-56434 — Use-After-Free

CVSS v3.1: 6.5
CVSS v4.0: 8.3

This vulnerability affects:

ngx_http_ssi_module

when used with:

proxy_pass
proxy_buffering off

and Server-Side Includes (SSI).

Impact

A man-in-the-middle attacker capable of manipulating upstream responses may trigger:

  • Use-after-free conditions
  • Worker process crashes
  • Limited memory modification

Mitigation

There is currently no workaround.

Organizations must patch affected systems.

Affected Products

Vulnerable

NGINX Plus

37.x

Fixed in:

37.0.3.1

NGINX Open Source

Affected:

1.x

Fixed in:

1.31.3
1.30.4

Additional Affected Products

  • NGINX Ingress Controller
  • NGINX Gateway Fabric
  • NGINX App Protect WAF
  • NGINX Instance Manager

Some branches are still awaiting security updates.

Not Affected

The following F5 products are not vulnerable:

  • BIG-IP
  • BIG-IQ
  • F5 Distributed Cloud
  • F5OS
  • F5 AI Gateway

The vulnerabilities are limited to NGINX data-plane components.

Why This Matters

NGINX remains one of the most widely deployed web servers and reverse proxies on the internet.

Because these vulnerabilities can be exploited remotely and without authentication, they present a significant risk to:

  • Public-facing web applications
  • Kubernetes ingress environments
  • API gateways
  • Reverse proxy infrastructure
  • Cloud-native workloads

Of particular concern is CVE-2026-42533, which may enable remote code execution under favorable conditions.

Recommended Actions

Immediate Priorities

  • Upgrade NGINX Plus to 37.0.3.1
  • Upgrade NGINX Open Source to 1.31.3 or 1.30.4
  • Review configurations using:
  • map
  • regex captures
  • ngx_http_slice_module
  • ngx_http_ssi_module

Additional Recommendations

  • Replace unnamed regex captures with named captures
  • Audit ingress controllers and gateway deployments
  • Monitor worker process crashes
  • Review HTTP error logs for suspicious requests

Key Takeaway

F5's July 2026 security advisory addresses three significant vulnerabilities affecting NGINX, including a critical heap buffer overflow that could lead to remote code execution. Given NGINX's extensive use across enterprise, cloud, and Kubernetes environments, organizations should prioritize patching and review configurations that rely on regex captures, slice processing, or SSI functionality.