F5 published three out-of-band security patches for NGINX on July 15, 2026 alongside the NGINX 1.31.3 mainline release. The most serious flaw — CVE-2026-42533 — is a heap buffer overflow in the map directive that an unauthenticated attacker can trigger with crafted HTTP requests, potentially achieving remote code execution on servers where ASLR is disabled or bypassed. Two companion vulnerabilities (CVE-2026-60005, uninitialized memory in the slice module; CVE-2026-56434, use-after-free in the SSI module) round out the batch. None of the three have been observed exploited in the wild as of disclosure, but NGINX powers a massive share of internet-facing infrastructure, making a fast patch cadence essential.

What the Vulnerabilities Are

CVE-2026-42533 — Heap Buffer Overflow in the map Directive (CVSS v4 9.2 Critical)

When the map directive uses regex matching and a string expression references unnamed capture variables before the map's output variable, NGINX's worker process can overflow heap memory (CWE-122). An unauthenticated remote attacker sends specially crafted HTTP requests to trigger the bug. The immediate result is a worker process crash (DoS); on systems where Address Space Layout Randomization (ASLR) is disabled or an attacker can bypass it, code execution becomes feasible. F5 credits over a dozen independent researchers — including teams from AntAISecurityLab, EVO.company, and Vodafone Türkiye — for responsible disclosure.

CVE-2026-60005 — Uninitialized Memory Disclosure in ngx_http_slice_module (CVSS v4 8.8)

This flaw affects the ngx_http_slice_module, which is non-default and requires the --with-http_slice_module build flag. When the slice directive is paired with unnamed regex captures, or during background cache update cycles, the module accesses uninitialized memory. The impact is limited data leakage or a worker process restart. Found internally by F5.

CVE-2026-56434 — Use-After-Free in ngx_http_ssi_module (CVSS v4 8.3)

A use-after-free (CWE-416) in NGINX's Server-Side Includes filter module. Exploitation requires a man-in-the-middle position on the upstream connection (e.g., a compromised backend or internal-network attacker) when proxy_pass is in use with proxy_buffering off. No workaround exists beyond patching. Reported by researcher p4p3r.

Why It Matters

  • NGINX is on a massive percentage of internet-facing servers — it's the default reverse proxy/web server in virtually every Linux hosting stack, Kubernetes ingress, and CDN configuration. A remotely triggerable heap overflow in the worker process is high-priority regardless of CVSS score.
  • CVE-2026-42533's RCE potential exists on common configurations. While ASLR bypass is required for code execution, NGINX Plus deployments on locked-down appliances often have predictable memory layouts. Even a reliable DoS against a high-traffic NGINX worker is disruptive.
  • map directives with regex are extremely common in host-based routing, geolocation rewrites, and multi-tenant site configurations. Unnamed regex captures ($1, $2, etc.) are the default style in most documentation examples.
  • CVE-2026-56434's SSI + proxy_pass combo is more common than expected on legacy PHP or Django sites that still use Server-Side Includes for templating or authentication wrappers.
  • F5's track record means active exploitation follows quickly. CISA has flagged seven prior F5/NGINX vulnerabilities as actively exploited, four of them in ransomware attacks.

Am I Affected?

You are affected if you run any of the following:

  • NGINX Open Source mainline 1.31.x — any version before 1.31.3
  • NGINX Open Source stable 1.30.x — any version before 1.30.4
  • NGINX Plus R37 (37.x) — any version before 37.0.3.1
  • NGINX Ingress Controller, Gateway Fabric, App Protect WAF, or Instance Manager — check the F5 advisory for your branch's fix version
  • Check your NGINX config for map blocks using unnamed regex captures ($1, $2 style) — these are the attack surface for CVE-2026-42533
  • Check whether the --with-http_slice_module flag is compiled in (run nginx -V 2>&1 | grep slice) for CVE-2026-60005 exposure
  • Check for ssi on; combined with proxy_pass and proxy_buffering off; for CVE-2026-56434 exposure

Note: NGINX 1.30.x stable branch users who haven't opted into mainline are still affected via 1.30.4 backport — patch all the same.

BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and F5 AI Gateway are not affected by these CVEs.

What to Do About It: Step-by-Step

1. Identify your NGINX version:

nginx -v

or

nginx -V 2>&1 | head -1

2. Patch to a fixed version:

  • NGINX Open Source (mainline): Upgrade to 1.31.3 or later
    # Debian/Ubuntu (nginx mainline repo)
    sudo apt-get update && sudo apt-get install -y nginx
    
    # RHEL/Rocky/AlmaLinux (nginx mainline repo)
    sudo dnf update nginx
  • NGINX Open Source (stable): Upgrade to 1.30.4 or later
  • NGINX Plus R37: Upgrade to 37.0.3.1 via the F5 portal

3. If you cannot patch immediately — mitigate CVE-2026-42533:

Replace unnamed regex captures with named captures in your map blocks:

# VULNERABLE (unnamed capture — $1):
map $uri $downstream {
    ~^/app/(.*)$ $1;
}

# SAFE (named capture — use ?<name>):
map $uri $downstream {
    ~^/app/(?<path>.*)$ $path;
}

4. If you cannot patch immediately — mitigate CVE-2026-60005:

If ngx_http_slice_module is compiled in, verify whether slice directives are actually in use. If not, remove or comment them out. There is no broader workaround.

5. For CVE-2026-56434: The only mitigation is patching. If you use SSI (ssi on;) with proxy_pass and proxy_buffering off; in the same location block, consider enabling proxy buffering temporarily:

proxy_buffering on;

…until the patch is applied.

6. Reload NGINX after patching:

sudo nginx -t && sudo systemctl reload nginx

7. Verify the fixed version is running:

nginx -v

Confirm output shows 1.31.3 (mainline), 1.30.4 (stable), or 37.0.3.1 (Plus).

Quick-Win Checklist

  • Run nginx -v on all servers and document current versions.
  • Update NGINX to 1.31.3 (mainline) or 1.30.4 (stable) or NGINX Plus 37.0.3.1.
  • Reload NGINX after update (nginx -t && systemctl reload nginx).
  • Audit map blocks for unnamed regex captures; migrate to named captures.
  • Check for ssi on; + proxy_pass + proxy_buffering off; in configs.
  • Update NGINX Ingress Controller, Gateway Fabric, App Protect WAF, Instance Manager per F5 branch guidance.
  • Subscribe to NGINX security advisories at nginx.org/en/security_advisories.html.

Sources