PT-2026-60206 · F5 · Nginx Plus+1

CVE-2026-60005

·

Published

2026-07-15

·

Updated

2026-07-16

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Name of the Vulnerable Software and Affected Versions NGINX Plus (affected versions not specified) NGINX Open Source (affected versions not specified)
Description A flaw exists in the ngx http slice module module, which is enabled via the --with-http slice module configuration parameter. Unauthenticated attackers can send requests that trigger uninitialized memory access in the NGINX worker process when the slice directive is used with unnamed regex captures or during a background cache update. This can result in a restart of the worker process or limited disclosure of memory contents. This is a data plane issue and does not expose the control plane.
Recommendations Upgrade to a vendor-listed fixed release. As a temporary mitigation, avoid using the slice directive or disable the ngx http slice module module.

Fix

DoS

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-60005

Affected Products

Nginx Open Source
Nginx Plus