Skip to main content

NGINX CVE-2026-60005

| EUVDEUVD-2026-44697 HIGH
Use of Uninitialized Resource (CWE-908)
2026-07-15 f5
8.8
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Remote unauthenticated request triggers the flaw (AV:N/PR:N/UI:N); limited memory read gives C:L, no integrity impact, and repeated worker restarts justify A:H; config prerequisite reduces population, not attacker complexity.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 15, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 16:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Analysis Generated
Jul 15, 2026 - 15:47 vuln.today
CVE Published
Jul 15, 2026 - 15:04 cve.org
HIGH 8.2

DescriptionCVE.org

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart.

Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach NGINX HTTP endpoint over network
Delivery
Send crafted request hitting slice path
Exploit
Trigger uninitialized memory read (CWE-908)
Execution
Leak worker memory fragments or crash worker
Impact
Repeat to sustain disclosure or restart

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be built with the non-default ngx_http_slice_module (--with-http_slice_module) AND to be running a triggering configuration: the slice directive together with unnamed regex captures in location/rewrite rules, OR an active background cache update (proxy_cache_background_update) path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:4.0 base score of 8.8 (AV:N/AC:L/AT:N/PR:N/UI:N, VC:L/VI:N/VA:H) reflects remote, unauthenticated, low-complexity access with limited confidentiality impact but high availability impact - consistent with the description of limited memory disclosure or worker restart. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who identifies an internet-facing NGINX instance built with the slice module and using slice alongside unnamed regex captures sends crafted HTTP requests that drive the worker down the uninitialized-memory path, returning fragments of worker-process memory or forcing the worker to restart. With AV:N/AC:L/PR:N, this requires no authentication and no user interaction, only network reachability to the vulnerable endpoint. …
Remediation Patch available per vendor advisory: upgrade to the fixed NGINX Plus / NGINX Open Source release identified in F5 article K000162100 (https://my.f5.com/manage/s/article/K000162100); exact fixed version numbers are not included in the provided data and must be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all NGINX Plus and NGINX Open Source instances to identify those with ngx_http_slice_module compiled and active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

CVE-2024-24989 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Share

CVE-2026-60005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy