~/f4n6 $ grep -r "F5 Patches Critical, High-Severity NGINX Vulnerabilities" ./investigations/ --include="*.md"

F5 Patches Critical, High-Severity NGINX Vulnerabilities

Jeff Davies 18 Jun 2026 6 min read

1. Executive summary

F5 has released out-of-band security updates addressing multiple vulnerabilities in NGINX, NGINX Plus, and NGINX Gateway Fabric. The two most severe issues — CVE-2026-42530 and CVE-2026-42055 — carry a CVSS score of 9.2 (Critical) and affect HTTP modules; they are remotely exploitable without authentication and can trigger a use-after-free or heap-based buffer overflow. Successful exploitation causes the NGINX worker process to restart (denial-of-service) and, if Address Space Layout Randomization (ASLR) is disabled or bypassed, arbitrary code execution. Two additional high-severity flaws (CVE-2026-11311, CVE-2026-50107) in NGINX Gateway Fabric allow authenticated attackers to inject arbitrary NGINX configuration directives, enabling exposure of pod-filesystem data, traffic redirection to attacker-controlled endpoints, or denial-of-service. Two medium-severity flaws additionally allow remote memory disclosure or worker-process restart. F5 states there is no current evidence of in-the-wild exploitation, but notes NGINX has recently been targeted in attacks. For EMEA financial services firms running NGINX in internet-facing or internal service-mesh roles, the unauthenticated RCE path and the Gateway Fabric configuration-injection path represent a material risk requiring immediate patching.

2. Regulatory framing

Article Trigger (the fact in this item) Practical impact
DORA Art. 28 NGINX / NGINX Plus / NGINX Gateway Fabric is a third-party ICT component supplied by F5. Third-party risk management principles apply; firms must ensure vendor risk register and contractual provisions reflect F5's security notification and patching cadence.
DORA Art. 29 NGINX is widely deployed across web, reverse-proxy and service-mesh roles in many firms, creating potential ICT concentration risk. Firms should assess whether NGINX constitutes a concentration-risk point in their ICT estate and document mitigations (patching SLA, alternative stacks, segmentation).
DORA Art. 17 Unauthenticated remote exploitation of an internet-facing component requires a defined ICT-related incident management process. Patching, monitoring and rollback procedures for NGINX must be integrated into the firm's ICT incident management process; evidence of timely remediation should be retained.
DORA Art. 18 A successful exploit would constitute an ICT-related incident requiring classification. Pre-classify a potential NGINX compromise (DoS, data exposure, RCE) against the firm's ICT incident classification taxonomy before exploitation occurs.
DORA Art. 19 A successful exploit meeting major-incident thresholds would trigger reporting to competent authorities. Pre-stage reporting templates and competent-authority contact details for NGINX-related incidents.
DORA Art. 24 NGINX is part of the ICT estate subject to digital operational resilience testing. Include NGINX instances in vulnerability-management and resilience-test scope; verify patched builds are deployed in test environments.
DORA Art. 30 F5 is an ICT third-party provider; key contractual provisions govern notification and support. Confirm F5 support contract covers out-of-band security advisories and that contractual notification SLAs are honoured.
NIS2 Art. 21(2)(d) NGINX is a supply-chain software component in scope of supply-chain security measures. Apply supply-chain security measures: inventory NGINX versions, validate signed packages, monitor F5 advisories.
NIS2 Art. 23 A successful exploit would create an incident-reporting obligation under NIS2. Pre-stage NIS2 incident-reporting workflow for NGINX-related incidents.
UK NIS 2018 NGINX may underpin OES/RDSP-facing services; exploitation would engage OES/RDSP duties. Confirm NGINX-hosted services are within OES/RDSP scope and that incident-handling duties are mapped.

3. Technical analysis & attack chain

The vulnerabilities affect three product lines: NGINX Open Source, NGINX Plus, and NGINX Gateway Fabric. F5 has not published fixed-version identifiers in the source material; affected organisations must consult F5's security notification for the exact build numbers.

Attack chain (CVE-2026-42530 / CVE-2026-42055 — Critical, CVSS 9.2)

  1. Reconnaissance. Attacker identifies an internet-exposed NGINX instance (HTTP/HTTPS listener) running an affected build.
  2. Initial access — unauthenticated network request. Attacker sends a crafted HTTP request to an affected HTTP module. No credentials are required.
  3. Vulnerability trigger. The request triggers either: - CVE-2026-42530 — a use-after-free condition in an HTTP module, or - CVE-2026-42055 — a heap-based buffer overflow in an HTTP module.
  4. Denial-of-service (primary outcome). The NGINX worker process crashes and is restarted by the master process, producing a denial-of-service condition. Repeated requests sustain the DoS.
  5. Arbitrary code execution (conditional outcome). If ASLR is disabled on the host, or if the attacker can bypass ASLR (e.g., via a separate information-disclosure primitive such as the medium-severity memory-disclosure flaw), the attacker can chain the memory-corruption primitive to achieve arbitrary code execution within the NGINX worker process context.
  6. Post-exploitation. With worker-level code execution, the attacker can read NGINX configuration, intercept proxied traffic, pivot to upstream backends, and persist by modifying configuration files reloaded by NGINX.

Attack chain (CVE-2026-11311 / CVE-2026-50107 — High-severity, NGINX Gateway Fabric)

  1. Initial access — authenticated. Attacker holds valid credentials to the NGINX Gateway Fabric control plane (e.g., a Kubernetes-side service account or admin role).
  2. Configuration injection. Attacker submits crafted NGINX configuration directives through the affected management API.
  3. Impact paths: - Sensitive-data exposure — directives expose files from the NGINX pod filesystem (e.g., autoindex on, misconfigured root/alias). - Traffic redirection — directives proxy traffic to attacker-controlled endpoints (e.g., proxy_pass to attacker host). - DoS — directives prevent NGINX from reloading, breaking service availability.
  4. Persistence. Malicious directives persist in the Gateway Fabric configuration until manually removed.

Additional medium-severity flaws

Two medium-severity NGINX flaws allow remote attackers to disclose memory contents or restart the NGINX worker process, or cause a DoS condition. These can serve as information-disclosure primitives to defeat ASLR and enable the RCE path described above.

Technical specifics

  • Affected components: NGINX HTTP modules (CVE-2026-42530, CVE-2026-42055); NGINX Gateway Fabric (CVE-2026-11311, CVE-2026-50107).
  • Authentication required: None for the two Critical CVEs; valid credentials for the two Gateway Fabric High CVEs.
  • User interaction: None.
  • Impact primitives: use-after-free, heap-based buffer overflow, configuration injection, memory disclosure, worker-process restart.
  • Affected products (per F5): NGINX Open Source, NGINX Plus, NGINX Gateway Fabric.
  • Vendor fix: F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric; exact version numbers are not stated in the source material and must be obtained from F5's security notification.
Unconfirmed / single-sourced: The general statement that "NGINX has recently been targeted in attacks" is not attributed to a specific threat actor, campaign, or MITRE-tracked group in the source material. Treat any actor-level attribution as unconfirmed until corroborated by F5 or a primary intelligence source.

4. Mitigation & containment

P1 — within 24 hours

  • Patch NGINX Open Source and NGINX Plus to the F5-released fixed versions for CVE-2026-42530 and CVE-2026-42055. Prioritise internet-facing instances and any instance handling authentication, payments, or PII.
  • Patch NGINX Gateway Fabric to the F5-released fixed versions for CVE-2026-11311 and CVE-2026-50107.
  • Inventory and triage: enumerate all NGINX/NGINX Plus/Gateway Fabric deployments (Kubernetes labels, package manager queries, container image tags) and assign an owner per instance.
  • Restrict Gateway Fabric management plane: until patched, restrict the Gateway Fabric admin/API surface to known administrator IPs and require MFA; review recent configuration changes for unauthorised directives.
  • Enable ASLR on all hosts running NGINX if not already enforced (Linux: kernel.randomize_va_space=2; verify with cat /proc/sys/kernel/randomize_va_space).

P2 — within 72 hours

  • Apply the medium-severity patches addressing memory-disclosure and worker-restart flaws.
  • Configuration hardening: audit NGINX configs for autoindex on, overly broad root/alias directives, and proxy_pass to non-corporate endpoints; remove or restrict.
  • WAF / rate-limiting: deploy targeted WAF rules to drop malformed HTTP requests targeting the affected HTTP modules until patching is complete; rate-limit suspicious request patterns to mitigate DoS.
  • Logging: ensure NGINX access and error logs, plus Kubernetes audit logs for Gateway Fabric, are forwarded to SIEM with at least 90 days retention.

P3 — within 7 days

  • Resilience testing: include NGINX instances in the next DORA Art. 24 resilience-test cycle; verify patched builds under load.
  • Third-party risk review: confirm F5 support contract covers out-of-band advisories and that contractual notification SLAs are honoured (DORA Art. 30).
  • Concentration-risk review: assess whether NGINX represents an ICT concentration-risk point and document mitigations (DORA Art. 29).
  • Supply-chain hygiene: pin NGINX container images to signed, patched tags; verify checksums against F5-published values (NIS2 Art. 21(2)(d)).

5. Indicators of compromise

No indicators of compromise available in the source material.

6. Detection

Insufficient indicators to author detection rules.

7. Sources

  • SecurityWeek — F5 Patches Critical, High-Severity NGINX Vulnerabilities — https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/ — 2026-06-18
  • BSI Germany — [NEU] [hoch] NGINX und NGINX Plus: Mehrere Schwachstellen (WID-SEC-2026-1995) — https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1995
  • ANSSI France CERT — Vulnérabilité dans Nginx (CERTFR-2026-AVI-0643) — https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0643/ — 2026-05-26

8. Adverse Trace position

Severity: Critical for any EMEA financial services firm running an unpatched, internet-exposed NGINX or NGINX Plus instance, or any NGINX Gateway Fabric deployment with an authenticated attack surface. The combination of unauthenticated remote exploitation, a CVSS 9.2 score, and a credible RCE path (conditional on ASLR bypass) places this in the top tier of 2026 infrastructure risk. Client impact: firms with NGINX in customer-facing, payment-processing, or service-mesh roles should treat patching as a P1 activity within 24 hours; Gateway Fabric operators must additionally audit recent configuration changes for unauthorised directives. Next steps: Adverse Trace will (1) monitor F5's security notification for fixed-version identifiers and update this advisory, (2) track any CISA KEV listing or in-the-wild exploitation reports, and (3) assist clients with NGINX estate inventory, patch verification, and configuration-hardening reviews on request.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies