Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: f5 (4 articles)Clear

Critical F5 NGINX flaws allow unauthenticated code execution and crashes

F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.

Check
Inventory NGINX instances and versions across servers, ingress, and gateways, and check whether HTTP/3 (QUIC) or HTTP/2 proxy and gRPC upstreams are enabled, which is what exposes these flaws.
Affected
NGINX Open Source, NGINX Plus, Gateway Fabric, and Instance Manager in non-default configurations using HTTP/3 (CVE-2026-42530) or HTTP/2 proxying and gRPC (CVE-2026-42055); unauthenticated remote attackers can trigger the flaws.
Fix
Upgrade to the fixed releases (NGINX Open Source 1.31.2, Plus 37.0.2.1 or R36 P6, Gateway Fabric 2.6.4). If you cannot patch now, disable HTTP/3 or the affected proxy settings as F5 advises.

NGINX 'Rift' heap overflow CVE-2026-42945 now seeing exploitation attempts in VulnCheck honeypots

The 18-year-old heap overflow in NGINX's rewrite module, CVE-2026-42945, disclosed last week as part of the 'Rift' bug cluster, is now seeing real exploitation attempts. AI-native security firm VulnCheck says its honeypot networks have caught attackers probing the flaw, though the goal of the campaigns is not yet clear. The vulnerability lets an unauthenticated attacker crash NGINX worker processes by sending crafted HTTP requests. Turning that crash into remote code execution requires the target host to have Address Space Layout Randomization (ASLR) disabled, which is uncommon by default, but the worker-crash denial-of-service is exploitable on its own and rated urgent.

Check
Search NGINX error logs for unusual worker crashes since 2026-05-13. Identify servers running NGINX open source before 1.30.1/1.31.0 or NGINX Plus before R32 P6 / R36 P4.
Affected
NGINX open source 0.6.27 through 1.30.0; NGINX Plus R32 through R36. Exploitable for DoS by default; RCE requires ASLR disabled on the target host.
Fix
Upgrade open source NGINX to 1.30.1 (stable) or 1.31.0 (mainline), or NGINX Plus to R32 P6 / R36 P4. Confirm ASLR remains enabled (default on supported Linux distributions).

NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

Check
Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.
Affected
NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.
Fix
Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.

F5 BIG-IP APM flaw reclassified from DoS to pre-auth RCE - now actively exploited (CVE-2025-53521)

Remember that F5 BIG-IP APM bug from last year everyone treated as a denial-of-service issue? Turns out it's pre-auth remote code execution - CVSS 9.3. F5 quietly reclassified it after new findings in March 2026 and confirmed exploitation in the wild. CISA added it to the KEV catalog with a March 30 patch deadline. That's tomorrow.

Check
Check if you run F5 BIG-IP with APM access policies enabled.
Affected
BIG-IP APM 17.5.0-17.5.1, 17.1.0-17.1.2, 16.1.0-16.1.6, 15.1.0-15.1.10.
Fix
Update to 17.5.2, 17.1.3, 16.1.7, or 15.1.11 respectively. CISA deadline is March 30, 2026.