PT-2026-60206 · F5 · Nginx Plus+1
CVE-2026-60005
·
Published
2026-07-15
·
Updated
2026-07-16
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
NGINX Plus (affected versions not specified)
NGINX Open Source (affected versions not specified)
Description
A flaw exists in the
ngx http slice module module, which is enabled via the --with-http slice module configuration parameter. Unauthenticated attackers can send requests that trigger uninitialized memory access in the NGINX worker process when the slice directive is used with unnamed regex captures or during a background cache update. This can result in a restart of the worker process or limited disclosure of memory contents. This is a data plane issue and does not expose the control plane.Recommendations
Upgrade to a vendor-listed fixed release.
As a temporary mitigation, avoid using the
slice directive or disable the ngx http slice module module.Fix
DoS
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nginx Open Source
Nginx Plus