Threat Advisory

NGINX Flaw Lets Attackers Execute Code

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source versions NGINX Open Source 1 have been identified in F5 NGINX Plus and NGINX Open Source. The most severe.

CVE-2026-42533 (CVSS 9.2 — Critical): This flaw appears when a map directive uses regex matching and a string expression references the map’s regex capture variables before the map output variable, triggering a heap buffer overflow in the worker process that can lead to NGINX code execution when ASLR is disabled or bypassed.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source versions NGINX Open Source 1 have been identified in F5 NGINX Plus and NGINX Open Source. The most severe.

CVE-2026-42533 (CVSS 9.2 — Critical): This flaw appears when a map directive uses regex matching and a string expression references the map’s regex capture variables before the map output variable, triggering a heap buffer overflow in the worker process that can lead to NGINX code execution when ASLR is disabled or bypassed.[emaillocker id="1283"]

CVE-2026-56434 (CVSS 8.3 — High): The third bug requires Server-Side Includes, proxy_pass, and proxy_buffering off in combination. An attacker with man-in-the-middle control over upstream responses can cause a use-after-free in the worker process that makes limited memory modification or a restart possible.

CVE-2026-60005 (CVSS 8.2): The second flaw sits in ngx_http_slice_module, which is off by default. It surfaces when the slice directive runs with unnamed regex captures, or when a background cache update occurs, triggering uninitialized memory access in the worker process that may result in limited memory disclosure or a restart.

These vulnerabilities collectively present significant risks to NGINX users, particularly those who have not applied recent patches. Administrators should review their exposure and apply updates as soon as possible.

RECOMMENDATION:

We recommend you to update CVE-2026-42945-rce-patch to version 1.31.3 or 1.30.4, NGINX Plus users to version 37.0.3.1 or R36 P7, NGINX Gateway Fabric 2.6.7 and NGINX Ingress Controller 5.5.3 or 2026-lts-r4.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu