F5 has released a critical security update to address multiple vulnerabilities found in NGINX and BIG-IP systems. This update includes patches for eight distinct flaws, the most severe being CVE-2026-42533, which carries a CVSS score of 9.2. This critical flaw affects both NGINX Plus and NGINX Open Source, where crafted HTTP requests can exploit the system to cause a heap buffer overflow and potentially restart the NGINX worker process. The vulnerability arises when a map directive uses regex matching improperly, which can be further manipulated under specific conditions. Although the exploit does not require authentication, attackers must operate under conditions they cannot control, except on systems with Address Space Layout Randomization (ASLR) disabled, where they can achieve code execution.
The security update also addresses several high-severity issues in NGINX, including vulnerabilities in the ngx_http_slice_module and ngx_http_ssi_module. These can be exploited without authentication, leading to memory leakage, process restarts, or use-after-free conditions, which could allow memory modification or further process restarts. Additionally, two high-severity flaws in the NGINX Ingress Controller have been patched. These vulnerabilities could enable authenticated attackers to inject arbitrary configuration directives, delete files, disable services, and manipulate resources to cause denial-of-service (DoS) conditions.
In BIG-IP systems, F5 has resolved a flaw that could be exploited by remote, unauthenticated attackers. When an HTTP/2 profile is configured on a virtual server, this vulnerability can increase memory resource utilization, leading to a DoS condition. Currently, F5 has not reported any active exploitation of these vulnerabilities in the wild. Further details can be accessed through F5's official security notification.


