PT-2026-60178 · F5 · Nginx Plus+1
CVE-2026-42533
·
Published
2026-07-15
·
Updated
2026-07-16
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NGINX Plus versions prior to 37.0.3.1
NGINX Open Source versions prior to 1.31.3
NGINX Open Source versions prior to 1.30.4
NGINX Ingress Controller (affected versions not specified)
Gateway Fabric (affected versions not specified)
App Protect WAF (affected versions not specified)
Instance Manager (affected versions not specified)
Description
An issue exists when a
map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. This can also occur when using a non-cacheable variable in a string expression under specific conditions. An unauthenticated attacker can exploit this by sending crafted HTTP requests, potentially causing a heap buffer overflow in the NGINX worker process. This may result in a denial-of-service (DoS) via a process restart or allow remote code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomizes memory addresses to prevent exploitation—is disabled or bypassed.Recommendations
Update NGINX Plus to version 37.0.3.1.
Update NGINX Open Source to version 1.31.3.
Update NGINX Open Source to version 1.30.4.
As a temporary mitigation, switch to named regex captures.
At the moment, there is no information about a newer version that contains a fix for NGINX Ingress Controller, Gateway Fabric, App Protect WAF, and Instance Manager.
Fix
DoS
RCE
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nginx Open Source
Nginx Plus