PT-2026-60178 · F5 · Nginx Plus+1

CVE-2026-42533

·

Published

2026-07-15

·

Updated

2026-07-16

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions NGINX Plus versions prior to 37.0.3.1 NGINX Open Source versions prior to 1.31.3 NGINX Open Source versions prior to 1.30.4 NGINX Ingress Controller (affected versions not specified) Gateway Fabric (affected versions not specified) App Protect WAF (affected versions not specified) Instance Manager (affected versions not specified)
Description An issue exists when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. This can also occur when using a non-cacheable variable in a string expression under specific conditions. An unauthenticated attacker can exploit this by sending crafted HTTP requests, potentially causing a heap buffer overflow in the NGINX worker process. This may result in a denial-of-service (DoS) via a process restart or allow remote code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomizes memory addresses to prevent exploitation—is disabled or bypassed.
Recommendations Update NGINX Plus to version 37.0.3.1. Update NGINX Open Source to version 1.31.3. Update NGINX Open Source to version 1.30.4. As a temporary mitigation, switch to named regex captures. At the moment, there is no information about a newer version that contains a fix for NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.

Fix

DoS

RCE

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42533

Affected Products

Nginx Open Source
Nginx Plus