Multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source versions NGINX Open Source 1 have been identified in F5 NGINX Plus and NGINX Open Source. The most severe.
CVE-2026-42533 (CVSS 9.2 — Critical): This flaw appears when a map directive uses regex matching and a string expression references the map’s regex capture variables before the map output variable, triggering a heap buffer overflow in the worker process that can lead to NGINX code execution when ASLR is disabled or bypassed.[/subscribe_to_unlock_form]
Multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source versions NGINX Open Source 1 have been identified in F5 NGINX Plus and NGINX Open Source. The most severe.
CVE-2026-42533 (CVSS 9.2 — Critical): This flaw appears when a map directive uses regex matching and a string expression references the map’s regex capture variables before the map output variable, triggering a heap buffer overflow in the worker process that can lead to NGINX code execution when ASLR is disabled or bypassed.[emaillocker id="1283"]
CVE-2026-56434 (CVSS 8.3 — High): The third bug requires Server-Side Includes, proxy_pass, and proxy_buffering off in combination. An attacker with man-in-the-middle control over upstream responses can cause a use-after-free in the worker process that makes limited memory modification or a restart possible.
CVE-2026-60005 (CVSS 8.2): The second flaw sits in ngx_http_slice_module, which is off by default. It surfaces when the slice directive runs with unnamed regex captures, or when a background cache update occurs, triggering uninitialized memory access in the worker process that may result in limited memory disclosure or a restart.
These vulnerabilities collectively present significant risks to NGINX users, particularly those who have not applied recent patches. Administrators should review their exposure and apply updates as soon as possible.
We recommend you to update CVE-2026-42945-rce-patch to version 1.31.3 or 1.30.4, NGINX Plus users to version 37.0.3.1 or R36 P7, NGINX Gateway Fabric 2.6.7 and NGINX Ingress Controller 5.5.3 or 2026-lts-r4.
The following reports contain further technical details:
[/emaillocker]