Skip to main content

NGINX EUVDEUVD-2026-44683

| CVE-2026-42533 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-07-15 f5 GHSA-fxfg-v4rj-hp95
9.2
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
9.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N); AC:H because success depends on a specific config pattern plus ASLR disabled/bypassed for the C:H/I:H code-execution path, with A:H from worker crashes.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Jul 15, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jul 15, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
Jul 15, 2026 - 15:22 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Analysis Generated
Jul 15, 2026 - 15:22 vuln.today
CVE Published
Jul 15, 2026 - 14:33 cve.org
CRITICAL 9.2

DescriptionCVE.org

A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify NGINX with vulnerable regex map config
Delivery
Send crafted HTTP requests
Exploit
Trigger heap buffer overflow in worker
Execution
Crash/restart worker (DoS)
Impact
If ASLR disabled/bypassed, execute code in worker

Vulnerability AssessmentAI

Exploitation Exploitation requires a specific server-side configuration: the NGINX config must use a map directive with regex matching, and a string expression must reference the map's regex capture variables before referencing the map output variable - or, alternatively, use a non-cacheable variable in a string expression under certain conditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has identified (or blindly targets) an NGINX instance whose configuration uses a regex map with capture variables referenced ahead of the map output variable sends specially crafted HTTP requests that drive the vulnerable string evaluation, overflowing the heap and crashing the worker process to cause repeated restarts and denial of service. On a target where ASLR is disabled or can be bypassed, the same overflow could be shaped toward arbitrary code execution in the worker process context. …
Remediation Patch available per vendor advisory - upgrade to the fixed NGINX Plus and/or NGINX Open Source release published by F5; the exact fixed version is not stated in the provided data, so verify the target version directly in the F5 advisory at https://my.f5.com/manage/s/article/K000162097 before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct an inventory of all NGINX Plus and NGINX Open Source deployments across production, staging, and development environments, noting version numbers and ASLR configuration status; prioritize public-facing and internet-accessible instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2024-39792 HIGH
8.7 Aug 14

When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

CVE-2024-24989 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Share

EUVD-2026-44683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy