F5 has shipped an out-of-band security rollout addressing eight vulnerabilities spanning NGINX Plus, NGINX Open Source, NGINX Ingress Controller, and BIG-IP. The company says none of the flaws are currently known to be exploited in the wild.
Critical NGINX Heap Overflow
The most severe issue, CVE-2026-42533, carries a CVSS score of 9.2 and affects NGINX Plus and NGINX Open Source. The vulnerability arises when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable, or alternatively when a non-cacheable variable is used in a string expression under certain conditions.
An attacker can trigger the flaw with crafted HTTP requests without authentication, though only under conditions outside their control. Successful exploitation causes a heap buffer overflow and restarts the NGINX worker process. On systems where Address Space Layout Randomization (ASLR) is disabled, F5 warns the bug can be escalated to remote code execution.
High-Severity NGINX and Ingress Controller Bugs
The rollout also fixes several high-severity issues in NGINX components:
- A weakness in the ngx_http_slice_module that can be exploited without authentication to leak memory contents or restart the worker process.
- A flaw in the ngx_http_ssi_module that can trigger a use-after-free condition, allowing memory modification or a worker process restart.
- Two vulnerabilities in NGINX Ingress Controller that let authenticated attackers inject arbitrary NGINX configuration directives, enabling file deletion, service disabling, or unauthorized creation and modification of Ingress or TransportServer resources to cause denial-of-service conditions.
BIG-IP Denial-of-Service Flaw
F5 additionally patched a high-severity BIG-IP vulnerability that remote, unauthenticated attackers could exploit to spike memory resource utilization when an HTTP/2 profile is configured on a virtual server, resulting in a denial-of-service condition.
Recommendations
Given the critical rating and unauthenticated exploitation path for CVE-2026-42533, security teams running NGINX Plus or NGINX Open Source should prioritize patching immediately, particularly on systems where ASLR may be disabled. Organizations using NGINX Ingress Controller and BIG-IP with HTTP/2 profiles should also review F5’s out-of-band security notification for applicable fixes and mitigation guidance.
