RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: f5 (2 articles)Clear
vulnerability
CVE-2026-42945CVE-2026-42946CVE-2026-42934CVE-2026-40701CVE-2026-40460CVE-2026-42926
2026-05-14

NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

nginxf5rceheap-overflowdepthfirstai-discovered18-year-oldhttp-reverse-proxy
Check
Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.
Affected
NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.
Fix
Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.
vulnerability
CVE-2025-53521
2026-03-28

F5 BIG-IP APM flaw reclassified from DoS to pre-auth RCE - now actively exploited (CVE-2025-53521)

Remember that F5 BIG-IP APM bug from last year everyone treated as a denial-of-service issue? Turns out it's pre-auth remote code execution - CVSS 9.3. F5 quietly reclassified it after new findings in March 2026 and confirmed exploitation in the wild. CISA added it to the KEV catalog with a March 30 patch deadline. That's tomorrow.

f5big-iprcecisa-kevactively-exploited
Check
Check if you run F5 BIG-IP with APM access policies enabled.
Affected
BIG-IP APM 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10.
Fix
Update to 17.5.2, 17.1.3, 16.1.7, or 15.1.11 respectively. CISA deadline is March 30, 2026.