PT-2026-60206 · F5 · Nginx Open Source+1

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-60005

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
NGINX Plus and NGINX Open Source have a vulnerability in the ngx http slice module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart.
Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx http slice module module is not enabled by default; it's enabled with the --with-http slice module configuration parameter.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-60005

Affected Products

Nginx Open Source
Nginx Plus