- July 15, 2026
Critical Memory Corruption Vulnerabilities in NGINX (CVE-2026-42533, CVE-2026-56434, CVE-2026-60005)
F5 has patched three memory-corruption vulnerabilities in NGINX Plus and NGINX Open Source, the most severe of which lets an unauthenticated attacker crash worker processes and, under the right conditions, execute code.
Executive Summary
On July 15th, 2026, F5 disclosed an out-of-band security notification regarding F5 and NGINX memory-safety vulnerabilities affecting NGINX Plus and NGINX Open Source. The most severe flaw, tracked as CVE-2026-42533 (CVSS 9.2), lets an unauthenticated, remote attacker send requests that can result in heap buffer overflows. CVE-2026-60005 allows an attacker to potentially read worker memory or restart the process. CVE-2026-56434 can be leveraged to allow an attacker in the middle of a session to control upstream responses.
NGINX is one of the most widely deployed web servers and reverse proxies on the internet, and accounts for a large share of internet-facing infrastructure. Memory-corruption vulnerabilities in exposed deployments can enable service disruption or denial of service, and in the case of CVE-2026-42533 may provide a path to remote code execution.
F5 has not confirmed active exploitation for any of the three vulnerabilities as of publication. Although active exploitation has not been reported, vulnerabilities in the memory-corruption category have historically been weaponized following disclosure. Beazley Security recommends affected organizations apply available fixes as soon as possible.
Affected Systems or Products
Product | Affected Version |
|---|---|
NGINX Open Source | 1.30.0 - 1.30.3, and 1.31.2 |
NGINX Plus | 37.0.0.1 - 37.0.2.1, and R33 - R36 |
NGINX Instance Manager | 2.17.0 - 2.22.1 |
F5 WAF for NGINX | 5.9.0 - 5.13.3 |
NGINX App Protect WAF | 4.x and 5.x |
NGINX Gateway Fabric | 1.x and 2.x |
NGINX Ingress Controller | 5.0.0 - 5.5.1, 4.0.0 - 4.0.1, and 3.6.0 - 3.7.2 |
BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and F5 AI Gateway are not affected; the issues are confined to NGINX’s data plane components.
Mitigations / Workarounds
A single upgrade path remediates all three vulnerabilities on NGINX Open Source and NGINX Plus. Downstream products require their own separate updates.
Upgrade NGINX Open Source to 1.31.3 or 1.30.4.
Upgrade NGINX Plus to 37.0.3.1 or R36 P7.
Upgrade NGINX Gateway Fabric to 2.6.7, and NGINX Ingress Controller to 5.5.3 or 2026-lts-r4.
If immediate patching is not possible, F5 advises replacing unnamed regex captures with named captures in any map or slice directive, and referencing those captures only within the block that holds the regex match. Replacing unnamed regex captures with named ones mitigates the vulnerabilities CVE-2026-42533 and CVE-2026-60005 target. No workaround exists for CVE-2026-56434; organizations relying on SSI with proxy_pass and proxy_buffering off should prioritize patching.
Patches
Fixed releases are available for NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, and NGINX Ingress Controller, with additional downstream products receiving updates on their own branches. Administrators of customer-managed NGINX deployments must apply these updates directly. Further details on patching procedures are available in F5’s NGINX security advisory.
Technical Details
CVE-2026-42533 is a vulnerability that leverages the map directive when it’s configured to use regex matching. Map directives take a string expression that references the map’s regex capture variables before referencing the map’s own output variable. NGINX parses strings with $variables like proxy_set_header, map outputs, and conditionals by compiling them into a script at runtime. These map runtimes are executed twice for each request to ensure that an appropriately sized buffer can be allocated.
Because a map directive needs to run a regex across its input, the number captured variables in the regex matches (for example, $1, $2, ...) will be iterated in order. This initial pass reads $1 first, and its value may still hold whatever was left inside it from a previous capture state. On the second pass, when the map variable is evaluated and the regex is triggered, $1 will be overwritten with user-influenced content. If the two passes do not result in the same length, the new capture content can be longer than what was allocated, and the copy pass writes beyond the end of the allocated buffer causing a heap overflow.
The changelog notes a second related trigger, “non-cacheable variables”. These non-cacheable variables can produce the same result when referenced in a string expression because a non-cacheable variable is explicitly allowed to return a different value each time it’s evaluated.
Grepping your configs for string expressions (proxy_set_header, add_header, return, rewrite, log_format, set, etc.) that reference $1/$2/... values before referencing a map-produced variable can identify whether you have a vulnerable configuration. If so, using a named capture group (?<name>...) instead of a numbered one will reduce accidental register reuse across unrelated directives.
The other two flaws are lower-impact siblings from the same release. CVE-2026-60005 is an uninitialized-memory read in the optional slice module (not enabled by default) that can leak fragments of worker memory or force a restart. CVE-2026-56434 is a use-after-free in the SSI module, reachable only when SSI, proxy_pass, and proxy_buffering off are all configured together, and only by an attacker with man-in-the-middle control over upstream responses.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.