Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

F5 Patches Multiple NGINX, BIG-IP Vulnerabilities

Attackers could exploit the bugs to modify configurations, terminate or restart processes, cross security boundaries, leak memory, and execute code.

F5

F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP.

The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process.

“A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains.

An attacker can exploit the security defect without authentication, but only under conditions they cannot control. On systems with Address Space Layout Randomization (ASLR) disabled, the attacker can achieve code execution.

F5’s patches also resolve several high-severity NGINX bugs, including weaknesses in the ngx_http_slice_module module and the ngx_http_ssi_module module that can be exploited without authentication.

Successful exploitation of the flaws allows attackers to leak memory contents, restart the NGINX worker process, or cause a use-after-free in the NGINX worker process to modify memory or restart the process.

Advertisement. Scroll to continue reading.

Two high-severity vulnerabilities addressed in NGINX Ingress Controller could allow authenticated attackers to inject arbitrary NGINX configuration directives to delete files and disable services, or create or modify Ingress or TransportServer resources to cause a denial-of-service (DoS) condition.

F5 also resolved a high-severity security defect in BIG-IP that could be exploited by remote, unauthenticated attackers to increase memory resource utilization when an HTTP/2 profile is configured on a virtual server, causing a DoS condition.

F5 makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s out-of-band security notification.

Related: Trend Micro, Tanium, ESET, and Tenable Patch Severe Product Vulnerabilities

Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow

Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell

Related: Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.