F5 released an out-of-band security advisory on July 16 addressing multiple vulnerabilities in NGINX and BIG-IP, with CVE-2026-42533 — a CVSS 9.2 heap buffer overflow affecting NGINX Plus and NGINX Open Source — as the most severe finding. The vulnerability, triggered by crafted HTTP requests to the affected components, requires no authentication from the attacker. F5’s advisory, designated K000161837, is separate from the emergency NGINX QUIC module patches F5 issued in June and addresses a distinct attack surface in NGINX’s HTTP processing code.
CVE-2026-42533 Heap Overflow Technical Details and Exploitation Conditions
CVE-2026-42533 is a heap buffer overflow in NGINX Plus and NGINX Open Source that an unauthenticated attacker can trigger by sending a specially crafted HTTP request to a vulnerable NGINX instance. Heap buffer overflows in web server components are a well-established class of memory corruption vulnerability — they allow an attacker to write data beyond the bounds of a heap allocation, potentially overwriting adjacent memory structures in ways that lead to arbitrary code execution, process crashes, or information disclosure.
F5’s advisory specifies that code execution through CVE-2026-42533 is achievable only on systems where Address Space Layout Randomization is disabled. ASLR is a memory security mechanism that randomizes the base addresses of process memory regions, making it substantially harder for an attacker to predict where injected code will execute. Systems where ASLR is configured below standard settings, legacy deployments with ASLR disabled, and certain containerized environments where ASLR configuration differs from host defaults may be fully exploitable without this mitigation in place.
The ASLR condition reduces the proportion of NGINX deployments immediately vulnerable to code execution, but does not address the underlying heap overflow — a crashed NGINX process creates a denial-of-service condition even without code execution, and future research may identify exploitation paths that work under standard ASLR configurations.
F5 reported no in-the-wild exploitation of CVE-2026-42533 at the time of the advisory’s release.
Additional NGINX Module Vulnerabilities and BIG-IP DoS Risk in Advisory K000161837
Advisory K000161837 covers several additional NGINX vulnerabilities beyond CVE-2026-42533, though F5 did not assign CVE identifiers to these findings at the time of publication.
Two memory leak vulnerabilities affect specific NGINX modules: one in ngx_http_slice_module, used to split large responses into sub-requests for range-based caching, and one in ngx_http_ssi_module, which handles server-side include processing. Both memory leaks can be abused to exhaust server memory through sustained request floods, producing a denial-of-service condition against the NGINX process. Use-after-free conditions are also documented in the advisory as potentially exploitable for code execution under specific conditions, though F5 did not specify what those conditions are.
The NGINX Ingress Controller is also addressed in the advisory for an arbitrary configuration directive injection vulnerability. This finding requires authenticated access — an authenticated attacker can inject unauthorized directives into the NGINX configuration, which could alter server behavior in ways that affect downstream applications and services the Ingress Controller routes traffic to.
The BIG-IP vulnerability addressed in the same advisory batch is an HTTP/2 resource exhaustion condition. Unauthenticated remote attackers can trigger resource exhaustion on BIG-IP deployments with HTTP/2 profiles enabled, resulting in denial-of-service against the affected BIG-IP instance. HTTP/2 resource exhaustion attacks send large numbers of concurrent HTTP/2 streams or requests to hold open server resources without completing transactions.
How CVE-2026-42533 Differs From F5’s June NGINX QUIC Module RCE Patches
F5 issued emergency patches for NGINX in June, including out-of-band advisories for critical unauthenticated remote code execution vulnerabilities in the NGINX QUIC module. Those June patches addressed a use-after-free vulnerability in QUIC packet processing — a different attack surface, a different module, and a distinct set of CVE identifiers from CVE-2026-42533.
The July 16 advisory K000161837 is an independent out-of-band release that addresses the heap buffer overflow in NGINX’s HTTP processing code, not the QUIC module. Organizations that applied the June emergency NGINX patches are patched against the QUIC module vulnerabilities but are not protected against CVE-2026-42533 by those prior patches. The two advisories represent separate lines of NGINX security research that happened to produce emergency patches in the same calendar period.
Patching Exposure for NGINX Plus, Open Source, and Ingress Controller Deployments
F5 has not disclosed the specific patched version numbers for NGINX Plus or NGINX Open Source in the public advisory text. Fixes are available through the Broadcom support portal. Organizations running NGINX Plus — the commercial version deployed in enterprise environments — and those running NGINX Open Source, which powers more than 30 percent of the top one million websites globally, should access the support portal to identify and apply the relevant patched versions.
Given the breadth of NGINX’s deployment footprint — as a reverse proxy, load balancer, TLS termination point, and API gateway in enterprise and cloud environments — each NGINX instance that serves as an entry point for multiple backend applications represents a risk surface where CVE-2026-42533 exploitation could affect more than just the NGINX process itself. Organizations should prioritize patching internet-facing NGINX Plus and NGINX Open Source instances, particularly any deployment running in environments where ASLR may not be at standard configuration.
