F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP.
The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process.
“A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains.
An attacker can exploit the security defect without authentication, but only under conditions they cannot control. On systems with Address Space Layout Randomization (ASLR) disabled, the attacker can achieve code execution.
F5’s patches also resolve several high-severity NGINX bugs, including weaknesses in the ngx_http_slice_module module and the ngx_http_ssi_module module that can be exploited without authentication.








