Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated request triggers the flaw (AV:N/PR:N/UI:N); limited memory read gives C:L, no integrity impact, and repeated worker restarts justify A:H; config prerequisite reduces population, not attacker complexity.
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart.
Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be built with the non-default ngx_http_slice_module (--with-http_slice_module) AND to be running a triggering configuration: the slice directive together with unnamed regex captures in location/rewrite rules, OR an active background cache update (proxy_cache_background_update) path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:4.0 base score of 8.8 (AV:N/AC:L/AT:N/PR:N/UI:N, VC:L/VI:N/VA:H) reflects remote, unauthenticated, low-complexity access with limited confidentiality impact but high availability impact - consistent with the description of limited memory disclosure or worker restart. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who identifies an internet-facing NGINX instance built with the slice module and using slice alongside unnamed regex captures sends crafted HTTP requests that drive the worker down the uninitialized-memory path, returning fragments of worker-process memory or forcing the worker to restart. With AV:N/AC:L/PR:N, this requires no authentication and no user interaction, only network reachability to the vulnerable endpoint. … |
| Remediation | Patch available per vendor advisory: upgrade to the fixed NGINX Plus / NGINX Open Source release identified in F5 article K000162100 (https://my.f5.com/manage/s/article/K000162100); exact fixed version numbers are not included in the provided data and must be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all NGINX Plus and NGINX Open Source instances to identify those with ngx_http_slice_module compiled and active. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nginx Plus
View allHeap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44697
GHSA-vxcv-h5wj-jxr5