F5 Releases Critical Patches for NGINX and BIG-IP Vulnerabilities

www.news4hackers.com-f5-releases-critical-patches-for-nginx-and-big-ip-vulnerabilities-f5-releases-critical-patches-for-nginx-and-big-ip-vulnerabilities

F5 released an urgent security update to address eight critical vulnerabilities affecting NGINX and BIG-IP platforms.

Critical Vulnerabilities in NGINX and BIG-IP

F5 released an urgent security update to address eight critical vulnerabilities affecting NGINX and BIG-IP platforms. The most severe flaw, tracked as CVE-2026-42533 with a CVSS score of 9.2, impacts NGINX Plus and NGINX Open Source. This vulnerability arises from improper handling of HTTP requests involving the map directive with regex matching.

CVE-2026-42533: Heap Buffer Overflow in NGINX

Specifically, when a string expression references regex capture variables before the map output variable, it creates a condition that could trigger a heap buffer overflow. This flaw could force the NGINX worker process to restart, potentially disrupting service availability. The vulnerability requires no authentication for exploitation but is contingent on specific system configurations. Attackers could achieve code execution if Address Space Layout Randomization (ASLR) is disabled on affected systems.

High-Severity Issues in NGINX

F5’s update also resolves multiple high-severity issues in NGINX, including flaws in the ngx_http_slice_module and ngx_http_ssi_module. These weaknesses allow unauthorized users to access memory contents, restart worker processes, or induce use-after-free conditions that alter memory states or terminate processes.

NGINX Ingress Controller Vulnerabilities

Two additional high-severity vulnerabilities in the NGINX Ingress Controller enable authenticated attackers to inject arbitrary configuration directives. This could lead to file deletions, service disruptions, or denial-of-service (DoS) scenarios by manipulating Ingress or TransportServer resources.

BIG-IP Vulnerability: Memory Exhaustion

A separate flaw in BIG-IP permits remote, unauthenticated attackers to exhaust memory resources when an HTTP/2 profile is active on a virtual server, resulting in a DoS condition.

No evidence of active exploitation for these vulnerabilities has been reported. F5’s security advisory provides detailed mitigation steps and patching instructions. The update emphasizes the importance of immediate implementation to prevent potential disruptions.

Industry Context and Recommendations

The release follows recent patches from other vendors addressing critical flaws in products such as Fortinet, Ivanti, and Tenable. Industry analysts highlight the growing frequency of zero-day disclosures and the need for proactive vulnerability management. Enterprises are advised to review their NGINX and BIG-IP deployments for compliance with the latest security updates.



About Author

en_USEnglish