Critical NGINX Vulnerabilities Patched by F5: Security Updates Released
F5 has issued emergency security patches to address multiple critical and high-severity vulnerabilities in NGINX, a widely used web server and reverse proxy software.
Urgent Security Patches Issued
The updates resolve flaws that could enable remote attackers to execute arbitrary code, disrupt services, or access sensitive data if exploited. The most severe issues, designated as CVE-2026-42530 and CVE-2026-42055, carry a CVSS score of 9.2. These flaws reside in NGINX’s HTTP modules and can be exploited without requiring authentication.
Critical Vulnerabilities Addressed
CVE-2026-42530 and CVE-2026-42055
Exploitation could trigger a use-after-free condition or a heap-based buffer overflow, leading to a denial-of-service (DoS) scenario. If the system’s Address Space Layout Randomization (ASLR) is disabled or bypassed, attackers could execute arbitrary code.
Updated Versions Released
F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to resolve these vulnerabilities. Additionally, the company addressed two high-severity flaws in NGINX Gateway Fabric—CVE-2026-11311 and CVE-2026-50107. These vulnerabilities allow authenticated attackers to inject arbitrary NGINX configuration directives, potentially exposing sensitive data, redirecting traffic to malicious endpoints, or causing a DoS by injecting malicious configurations.
Medium-Severity Vulnerabilities
Two medium-severity vulnerabilities were also patched, enabling remote attackers to disclose memory contents or force the NGINX worker process to restart, resulting in a DoS condition.
Importance of Immediate Patching
While F5 has not reported any active exploitation of these vulnerabilities, the company emphasizes the importance of deploying the patches promptly, given the recent targeting of NGINX in cyberattacks. Further details are available in the company’s security advisory.
About Author
English