Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3188 vulnerabilities by f5
CVE-2026-50107 (GCVE-0-2026-50107)
Vulnerability from nvd – Published: 2026-06-17 20:04 – Updated: 2026-06-18 12:57- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161785 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
2.3.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:57:49.527832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:57:56.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Custom Resource Definitions"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "2.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the \u003c/span\u003e\u003cstrong\u003eNginxProxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy\u00a0Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:04:44.518Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161785"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-50107",
"datePublished": "2026-06-17T20:04:44.518Z",
"dateReserved": "2026-06-17T16:35:56.336Z",
"dateUpdated": "2026-06-18T12:57:56.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32682 (GCVE-0-2026-32682)
Vulnerability from nvd – Published: 2026-06-17 20:05 – Updated: 2026-06-18 12:57- CWE-129 - Improper Validation of Array Index
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161786 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
1.3.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:57:19.705230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:57:26.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"GRPCRoutes"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:05:17.808Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161786"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-32682",
"datePublished": "2026-06-17T20:05:17.808Z",
"dateReserved": "2026-06-17T16:35:56.342Z",
"dateUpdated": "2026-06-18T12:57:26.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48142 (GCVE-0-2026-48142)
Vulnerability from nvd – Published: 2026-06-17 14:04 – Updated: 2026-06-17 15:42 X_F5- CWE-125 - Out-of-bounds Read
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161585 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.13.10 , < 1.31.2
(custom)
Affected: 1.30.0 , < 1.30.3 (custom) |
|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.2.1
(custom)
Affected: R36 , < R36 P6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:42:46.410409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:42:56.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.13.10",
"versionType": "custom"
},
{
"lessThan": "1.30.3",
"status": "affected",
"version": "1.30.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.2.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P6",
"status": "affected",
"version": "R36",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges p4p3r of CYBERONE and Han Yan of Xiaomi for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_charset_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. When content is served or proxied through a location block with both \u003c/span\u003e\u003cstrong\u003esource_charset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;utf-8; and a \u003c/span\u003e\u003cstrong\u003echarset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive (for example, \u003c/span\u003e\u003cstrong\u003echarset koi8-r\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module\u00a0module. When content is served or proxied through a location block with both source_charset\u00a0utf-8; and a charset\u00a0directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.856Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161585"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_charset_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-48142",
"datePublished": "2026-06-17T14:04:32.856Z",
"dateReserved": "2026-06-02T21:45:04.856Z",
"dateUpdated": "2026-06-17T15:42:56.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42530 (GCVE-0-2026-42530)
Vulnerability from nvd – Published: 2026-06-17 14:04 – Updated: 2026-06-30 12:08 X_F5- CWE-416 - Use After Free
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161616 | vendor-advisory |
| https://access.redhat.com/security/cve/CVE-2026-42530 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489872 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.31.0 , < 1.31.2
(custom)
|
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Lightspeed proxy 1 |
cpe:/a:redhat:insights_proxy:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:57:47.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Lightspeed proxy 1",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T14:04:32.173Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the ngx_http_v3_module module of NGINX. When NGINX is configured to use the HTTP/3 QUIC module, an attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream and cause a use-after-free issue, potentially allowing code execution or a denial of service by forcing the process to restart."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:40.670Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42530"
},
{
"name": "RHBZ#2489872",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489872"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42530.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T16:02:06.547Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T14:04:32.173Z",
"value": "Made public."
}
],
"title": "nginx: ngx_http_v3_module: use-after-free issue leads to denial of service",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, disable HTTP/3 by removing quic from all listen directives."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_v3_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Trung Nguyen (@everping) of CyStack, Zhenpeng (Leo) Lin (depthfirst), Evan Hellman (@xintenseapple) of Trail of Bits in collaboration with OpenAI, AntAISecurityLab, and Nebula Security (@nebusecurity) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Open Source has a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_v3_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Open Source has a vulnerability in the ngx_http_v3_module\u00a0module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.173Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161616"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX Open-Source ngx_http_v3_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42530",
"datePublished": "2026-06-17T14:04:32.173Z",
"dateReserved": "2026-06-02T21:45:04.719Z",
"dateUpdated": "2026-06-30T12:08:40.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42055 (GCVE-0-2026-42055)
Vulnerability from nvd – Published: 2026-06-17 14:04 – Updated: 2026-06-30 12:08 X_F5| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161584 | vendor-advisory |
| https://access.redhat.com/security/cve/CVE-2026-42055 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489866 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:27197 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.13.10 , < 1.31.2
(custom)
Affected: 1.30.2 , < 1.30.3 (custom) |
|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.2.1
(custom)
Affected: R36 , < R36 P6 (custom) |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:57:46.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T14:04:32.520Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:43.973Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42055"
},
{
"name": "RHBZ#2489866",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489866"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27197"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27197: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T16:01:41.848Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T14:04:32.520Z",
"value": "Made public."
}
],
"title": "nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.13.10",
"versionType": "custom"
},
{
"lessThan": "1.30.3",
"status": "affected",
"version": "1.30.2",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.2.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P6",
"status": "affected",
"version": "R36",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \u7ae0\u9c7c\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.520Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161584"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42055",
"datePublished": "2026-06-17T14:04:32.520Z",
"dateReserved": "2026-06-02T21:45:04.818Z",
"dateUpdated": "2026-06-30T12:08:43.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11311 (GCVE-0-2026-11311)
Vulnerability from nvd – Published: 2026-06-17 14:04 – Updated: 2026-06-17 15:42 X_F5- CWE-76 - Improper Neutralization of Equvalent Special Elements
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161611 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
2.5.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:42:03.715663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:42:37.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Custom Resource Definitions"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the \u003c/span\u003e\u003cstrong\u003eNginxProxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition \u003c/span\u003e\u003cstrong\u003eserverTokens\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;field and the \u003c/span\u003e\u003cstrong\u003eAuthenticationFilter\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition \u003c/span\u003e\u003cstrong\u003eextraAuthArgs\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy\u00a0Custom Resource Definition serverTokens\u00a0field and the AuthenticationFilter\u00a0Custom Resource Definition extraAuthArgs\u00a0field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-76",
"description": "CWE-76 Improper Neutralization of Equvalent Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:33.197Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161611"
}
],
"source": {
"discovery": "INTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-11311",
"datePublished": "2026-06-17T14:04:33.197Z",
"dateReserved": "2026-06-04T18:01:54.825Z",
"dateUpdated": "2026-06-17T15:42:37.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49975 (GCVE-0-2026-49975)
Vulnerability from nvd – Published: 2026-06-08 15:26 – Updated: 2026-06-30 03:20| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache HTTP Server |
Affected:
2.4.17 , ≤ 2.4.67
(semver)
|
|
| Red Hat | Red Hat JBoss Core Services on RHEL 7 Server |
cpe:/a:redhat:jboss_core_services:1::el7 |
|
| Red Hat | Red Hat JBoss Core Services on RHEL 8 |
cpe:/a:redhat:jboss_core_services:1::el8 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat JBoss Core Services 2.4.62.SP4 |
cpe:/a:redhat:jboss_core_services:1 |
|
| Red Hat | Red Hat OpenShift Service Mesh 2.6 |
cpe:/a:redhat:service_mesh:2.6::el9 |
|
| Red Hat | Red Hat JBoss Core Services |
cpe:/a:redhat:jboss_core_services:1 |
|
| Red Hat | Red Hat JBoss Web Server 5 |
cpe:/a:redhat:jboss_enterprise_web_server:5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-08T22:32:35.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T10:27:36.270403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T10:29:04.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/EQSTLab/CVE-2026-49975"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1::el7"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services on RHEL 7 Server",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1::el8"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services on RHEL 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services 2.4.62.SP4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Core Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_web_server:5"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Web Server 5",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:20:31.791Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-49975"
},
{
"name": "RHBZ#2485371",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485371"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27200"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25090"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25057"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25042"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27201"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27114"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27200: Red Hat JBoss Core Services on RHEL 7 Server, Red Hat JBoss Core Services on RHEL 8"
},
{
"lang": "en",
"value": "RHSA-2026:25225: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25090: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:25057: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25042: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:27201: Red Hat JBoss Core Services 2.4.62.SP4"
},
{
"lang": "en",
"value": "RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T06:04:44.009Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.67",
"status": "affected",
"version": "2.4.17",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMemory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:26:04.674Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-26T12:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2026-05-27T12:00:00.000Z",
"value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"
},
{
"lang": "en",
"time": "2026-06-02T12:00:00.000Z",
"value": "fixed in 2.4.x by r1934882"
},
{
"lang": "eng",
"time": "2026-06-08T12:00:00.000Z",
"value": "2.4.68 released"
}
],
"title": "Apache HTTP Server: mod_http2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-49975",
"datePublished": "2026-06-08T15:26:04.674Z",
"dateReserved": "2026-06-02T17:20:37.983Z",
"dateUpdated": "2026-06-30T03:20:31.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9256 (GCVE-0-2026-9256)
Vulnerability from nvd – Published: 2026-05-22 14:11 – Updated: 2026-06-30 12:10 X_F5- CWE-122 - Heap-based Buffer Overflow
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161377 | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| https://lists.debian.org/debian-lts-announce/2026… | |
| https://access.redhat.com/security/cve/CVE-2026-9256 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480746 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:29874 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28921 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28212 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28973 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29151 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33313 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:20351 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.1.1
(custom)
Affected: R36 , < R36 P5 (custom) Affected: R32 , < R32 P7 (custom) |
|
| F5 | NGINX Open Source |
Affected:
1.31.0 , < 1.31.1
(custom)
Affected: 1.30.0 , < 1.30.2 (custom) Affected: 0.1.17 , ≤ 0.9.7 (custom) |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Discovery 2 |
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Lightspeed proxy 1 |
cpe:/a:redhat:insights_proxy:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:52.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T05:35:40.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/22/14"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00023.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed proxy 1",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-22T14:11:41.877Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the ngx_http_rewrite_module module of NGINX. When a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures and a replacement string that references multiple such captures in a redirect or arguments context, an unauthenticated attacker can send crafted HTTP requests and cause a heap-based buffer overflow in the worker process, potentially allowing code execution or a denial of service by forcing the process to restart."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:51.319Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9256"
},
{
"name": "RHBZ#2480746",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480746"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9256.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29874"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28921"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28212"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28973"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29151"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33313"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20351"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:29874: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:28921: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28212: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:28973: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:29151: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33313: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:20351: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T15:00:55.131Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-22T14:11:41.877Z",
"value": "Made public."
}
],
"title": "nginx: ngx_http_rewrite_module: code execution and denial of service",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, use named captures instead of unnamed captures in rewrite definitions.\n\nFor example, the following rewrite directive uses unnamed PCRE capture groups, $1 and $2:\n\n~~~\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1\u0026tab=$2 last;\n~~~\n\nTo mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section:\n\n~~~\nrewrite ^/users/(?\u003cuser_id\u003e[0-9]+)/profile/(?\u003csection\u003e.*)$ /profile.php?id=$user_id\u0026tab=$section last;\n~~~"
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.1.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P5",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R32 P7",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.1",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
},
{
"lessThan": "1.30.2",
"status": "affected",
"version": "1.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.9.7",
"status": "affected",
"version": "0.1.17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-05-22T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:20:47.449Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161377"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_rewrite_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-9256",
"datePublished": "2026-05-22T14:11:41.877Z",
"dateReserved": "2026-05-21T20:58:58.484Z",
"dateUpdated": "2026-06-30T12:10:51.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8711 (GCVE-0-2026-8711)
Vulnerability from nvd – Published: 2026-05-19 14:04 – Updated: 2026-05-21 18:29 X_F5- CWE-122 - Heap-based Buffer Overflow
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161307 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX JavaScript |
Affected:
0.9.4 , < 0.9.9
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T03:55:39.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_js_module"
],
"product": "NGINX JavaScript",
"vendor": "F5",
"versions": [
{
"lessThan": "0.9.9",
"status": "affected",
"version": "0.9.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges udolemi (S2W) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-05-19T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX JavaScript has a vulnerability when the \u003c/span\u003e\u003cstrong\u003ejs_fetch_proxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is configured with at least one client-controlled NGINX variable (for example, \u003c/span\u003e\u003cstrong\u003e$http_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003e$arg_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003e$cookie_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX JavaScript has a vulnerability when the js_fetch_proxy\u00a0directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T18:29:16.674Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161307"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX JavaScript vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-8711",
"datePublished": "2026-05-19T14:04:18.860Z",
"dateReserved": "2026-05-15T20:10:29.764Z",
"dateUpdated": "2026-05-21T18:29:16.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42946 (GCVE-0-2026-42946)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161027 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Plus |
Unaffected:
R37 , < *
(custom)
Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom) |
|
| F5 | NGINX Open Source |
Unaffected:
1.31.0 , < *
(semver)
Affected: 0.8.42 , < 1.30.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42946",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:55:04.864917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:06:56.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_scgi_module and ngx_http_uwsgi_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "R37",
"versionType": "custom"
},
{
"lessThan": "R36 P4",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R32 P6",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_scgi_module and ngx_http_uwsgi_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.31.0",
"versionType": "semver"
},
{
"lessThan": "1.30.1",
"status": "affected",
"version": "0.8.42",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-823",
"description": "CWE-823: Use of Out-of-range Pointer Offset",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:44.697Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000161027"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42946",
"datePublished": "2026-05-13T14:12:44.697Z",
"dateReserved": "2026-04-30T23:04:27.965Z",
"dateUpdated": "2026-05-13T16:06:56.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42945 (GCVE-0-2026-42945)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-07-02 12:05| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Plus |
Unaffected:
R37 , < *
(custom)
Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom) |
|
| F5 | NGINX Open Source |
Unaffected:
1.31.0 , < *
(semver)
Affected: 0.6.27 , < 1.30.1 (semver) |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.0) |
cpe:/a:redhat:rhel_e4s:9.0::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream E4S (v.9.2) |
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0) |
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.4) |
cpe:/a:redhat:rhel_eus:9.4::crb |
|
| Red Hat | Red Hat CodeReady Linux Builder EUS (v.9.6) |
cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.14 |
cpe:/a:redhat:openshift_data_foundation:4.14::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.15 |
cpe:/a:redhat:openshift_data_foundation:4.15::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.16 |
cpe:/a:redhat:openshift_data_foundation:4.16::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.17 |
cpe:/a:redhat:openshift_data_foundation:4.17::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.18 |
cpe:/a:redhat:openshift_data_foundation:4.18::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.19 |
cpe:/a:redhat:openshift_data_foundation:4.19::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.21 |
cpe:/a:redhat:openshift_data_foundation:4.21::el9 |
|
| Red Hat | Red Hat Openshift Data Foundation 4.2 |
cpe:/a:redhat:openshift_data_foundation:4.20::el9 |
|
| Red Hat | Red Hat Satellite 6.18 |
cpe:/a:redhat:satellite:6.18::el9 |
|
| Red Hat | Red Hat Satellite 6.19 |
cpe:/a:redhat:satellite:6.19::el9 |
|
| Red Hat | Red Hat Update Infrastructure 5 |
cpe:/a:redhat:rhui:5::el9 |
|
| Red Hat | Red Hat 3scale API Management Platform 2 |
cpe:/a:redhat:red_hat_3scale_amp:2 |
|
| Red Hat | Red Hat Lightspeed proxy 1 |
cpe:/a:redhat:insights_proxy:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42945",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:56:26.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-14T18:54:21.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://depthfirst.com/nginx-rift"
},
{
"url": "https://github.com/DepthFirstDisclosures/Nginx-Rift"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.0::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1",
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.4::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.14::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.14",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.15::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.15",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.16::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.16",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.17::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.17",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.21::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.21",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift_data_foundation:4.20::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Openshift Data Foundation 4.2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6.18",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.19::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Satellite 6.19",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:red_hat_3scale_amp:2"
],
"defaultStatus": "affected",
"product": "Red Hat 3scale API Management Platform 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed proxy 1",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-13T14:12:43.971Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution if Address Space Layout Randomization (ASLR), a security technique to prevent exploitation, is disabled. Otherwise, this flaw causes a denial of service due to a restart of the NGINX worker process."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:05:15.583Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42945"
},
{
"name": "RHBZ#2477116",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477116"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42945.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17790"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18063"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19159"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18041"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17791"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17751"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17792"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17793"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17752"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17794"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17753"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:18029"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19371"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19374"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19372"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:17417"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22396"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22393"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22394"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22390"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22388"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22389"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22382"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:22383"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20442"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20444"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:21275"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:17790: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
},
{
"lang": "en",
"value": "RHSA-2026:18063: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:19159: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:18041: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:17791: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
},
{
"lang": "en",
"value": "RHSA-2026:17751: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
},
{
"lang": "en",
"value": "RHSA-2026:17792: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:17793: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
},
{
"lang": "en",
"value": "RHSA-2026:17752: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:17794: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:17753: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
},
{
"lang": "en",
"value": "RHSA-2026:18029: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19371: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19374: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:19372: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:17417: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:22396: Red Hat Openshift Data Foundation 4.14"
},
{
"lang": "en",
"value": "RHSA-2026:22393: Red Hat Openshift Data Foundation 4.15"
},
{
"lang": "en",
"value": "RHSA-2026:22394: Red Hat Openshift Data Foundation 4.16"
},
{
"lang": "en",
"value": "RHSA-2026:22390: Red Hat Openshift Data Foundation 4.17"
},
{
"lang": "en",
"value": "RHSA-2026:22388: Red Hat Openshift Data Foundation 4.18"
},
{
"lang": "en",
"value": "RHSA-2026:22389: Red Hat Openshift Data Foundation 4.19"
},
{
"lang": "en",
"value": "RHSA-2026:22382: Red Hat Openshift Data Foundation 4.21"
},
{
"lang": "en",
"value": "RHSA-2026:22383: Red Hat Openshift Data Foundation 4.2"
},
{
"lang": "en",
"value": "RHSA-2026:20442: Red Hat Satellite 6.18"
},
{
"lang": "en",
"value": "RHSA-2026:20444: Red Hat Satellite 6.19"
},
{
"lang": "en",
"value": "RHSA-2026:21275: Red Hat Update Infrastructure 5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T16:04:29.017Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-13T14:12:43.971Z",
"value": "Made public."
}
],
"title": "nginx: NGINX: Arbitrary Code Execution Vulnerability",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "R37",
"versionType": "custom"
},
{
"lessThan": "R36 P4",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R32 P6",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.31.0",
"versionType": "semver"
},
{
"lessThan": "1.30.1",
"status": "affected",
"version": "0.6.27",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_rewrite_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is followed by a \u003c/span\u003e\u003cstrong\u003erewrite\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003eif\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, or \u003c/span\u003e\u003cstrong\u003eset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module\u00a0module. This vulnerability exists when the rewrite\u00a0directive is followed by a rewrite, if, or set\u00a0directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T18:28:55.718Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000161019"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_http_rewrite_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42945",
"datePublished": "2026-05-13T14:12:43.971Z",
"dateReserved": "2026-04-30T23:04:27.955Z",
"dateUpdated": "2026-07-02T12:05:15.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42937 (GCVE-0-2026-42937)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:09- CWE-732 - Incorrect Permission Assignment for Critical Resource
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161018 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T16:02:58.207895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:09:45.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "BIG-IQ",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.4.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (\u003c/span\u003e\u003cstrong\u003etmsh\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e) \u003c/span\u003e\u003cstrong\u003earp\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003endp\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information.\u0026nbsp;\u003c/span\u003e\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp\u00a0and ndp\u00a0commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information.\u00a0\n\n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "BIG-IP"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "BIG-IP"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "BIG-IQ"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "BIG-IQ"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:40.132Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000161018"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "iControl REST and tmsh vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42937",
"datePublished": "2026-05-13T14:12:40.132Z",
"dateReserved": "2026-04-30T23:04:20.019Z",
"dateUpdated": "2026-05-13T16:09:45.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42934 (GCVE-0-2026-42934)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-06-08 20:34- CWE-125 - Out-of-bounds Read
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161028 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Plus |
Unaffected:
R37 , < *
(custom)
Affected: R36 , < R36 P4 (custom) Affected: R32 , < R32 P6 (custom) |
|
| F5 | NGINX Open Source |
Unaffected:
1.31.0 , < *
(semver)
Affected: 0.3.50 , < 1.30.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:55:18.483975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:07:10.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "R37",
"versionType": "custom"
},
{
"lessThan": "R36 P4",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R32 P6",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.31.0",
"versionType": "semver"
},
{
"lessThan": "1.30.1",
"status": "affected",
"version": "0.3.50",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5 acknowledges David Carlier, Zhenpeng (Leo) Lin of depthfirst, and GAO Liyou for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_charset_module \u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003emodule. When \u003c/span\u003e\u003cstrong\u003echarset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003esource_charset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, and \u003c/span\u003e\u003cstrong\u003echarset_map\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003eproxy_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map\u00a0and proxy_pass\u00a0with disabled buffering (\"off\") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers\u0027 control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\n\n\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T20:34:05.147Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000161028"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_http_charset_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42934",
"datePublished": "2026-05-13T14:12:44.331Z",
"dateReserved": "2026-04-30T23:04:27.960Z",
"dateUpdated": "2026-06-08T20:34:05.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42930 (GCVE-0-2026-42930)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-14 03:56- CWE-35 - Path Traversal: '.../...//'
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160876 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:56:17.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen running in Appliance mode, an authenticated attacker assigned the \u0027Administrator\u0027 role may be able to bypass Appliance mode restrictions on a BIG-IP system.\u003c/span\u003e\n\n\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When running in Appliance mode, an authenticated attacker assigned the \u0027Administrator\u0027 role may be able to bypass Appliance mode restrictions on a BIG-IP system.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35 Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:42.886Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160876"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Appliance mode iControl REST vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42930",
"datePublished": "2026-05-13T14:12:42.886Z",
"dateReserved": "2026-04-30T23:04:27.939Z",
"dateUpdated": "2026-05-14T03:56:17.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42926 (GCVE-0-2026-42926)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:16- CWE-172 - Encoding Error
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161131 | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Unaffected:
1.31.0 , < *
(semver)
Affected: 1.29.4 , < 1.30.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:54:52.773305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:06:30.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_proxy_v2_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1.31.0",
"versionType": "semver"
},
{
"lessThan": "1.30.1",
"status": "affected",
"version": "1.29.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "F5 acknowledges Mufeed VH of Winfunc Research, Hcamael of aipyaipy, and \u7ae0\u9c7c\u54e5 of aipyaipy for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Open Source is configured to proxy HTTP/2 traffic by setting \u003c/span\u003e\u003cstrong\u003eproxy_http_version\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to 2, and also uses \u003c/span\u003e\u003cstrong\u003eproxy_set_body\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version\u00a0to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-172",
"description": "CWE-172 Encoding Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:16:54.456Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000161131"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "NGINX ngx_http_proxy_v2_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42926",
"datePublished": "2026-05-13T14:12:45.695Z",
"dateReserved": "2026-05-05T21:19:09.531Z",
"dateUpdated": "2026-05-13T16:16:54.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42924 (GCVE-0-2026-42924)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-14 03:56- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160926 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:56:22.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.1",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.4",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.1",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "F5 acknowledges Adam Logue for bringing this issue to our attention and following the highest standards of coordinated disclosure."
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Appliance Mode"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:36.142Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160926"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "BIG-IP iControl SOAP vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42924",
"datePublished": "2026-05-13T14:12:36.142Z",
"dateReserved": "2026-04-30T23:04:10.882Z",
"dateUpdated": "2026-05-14T03:56:22.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42920 (GCVE-0-2026-42920)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:14- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160901 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T16:01:34.873735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:14:10.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.1",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.4",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.1",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.\u003c/span\u003e\n\u003c/span\u003e\u003c/span\u003e\u0026nbsp;Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:33.219Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160901"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BIG-IP DTLS Vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42920",
"datePublished": "2026-05-13T14:12:33.219Z",
"dateReserved": "2026-04-30T23:02:47.685Z",
"dateUpdated": "2026-05-13T16:14:10.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42919 (GCVE-0-2026-42919)
Vulnerability from nvd – Published: 2026-05-13 14:12 – Updated: 2026-05-14 03:56- CWE-121 - Stack-based Buffer Overflow
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000158971 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:56:24.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.1",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.4",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.1",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary.\u003c/span\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:32.468Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000158971"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "F5 BIG-IP Appliance Mode Vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42919",
"datePublished": "2026-05-13T14:12:32.468Z",
"dateReserved": "2026-04-30T23:02:47.674Z",
"dateUpdated": "2026-05-14T03:56:24.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32682 (GCVE-0-2026-32682)
Vulnerability from cvelistv5 – Published: 2026-06-17 20:05 – Updated: 2026-06-18 12:57- CWE-129 - Improper Validation of Array Index
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161786 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
1.3.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:57:19.705230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:57:26.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"GRPCRoutes"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Gateway Fabric is configured using GRPCRoutes, an authenticated, remote attacker with permission to create or modify GRPCRoute resources can cause the NGINX Gateway Fabric control plane to terminate by sending undisclosed GRPCRoute configurations containing backendRef filters. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129 Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:05:17.808Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161786"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-32682",
"datePublished": "2026-06-17T20:05:17.808Z",
"dateReserved": "2026-06-17T16:35:56.342Z",
"dateUpdated": "2026-06-18T12:57:26.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50107 (GCVE-0-2026-50107)
Vulnerability from cvelistv5 – Published: 2026-06-17 20:04 – Updated: 2026-06-18 12:57- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161785 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
2.3.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:57:49.527832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:57:56.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Custom Resource Definitions"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "2.3.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the \u003c/span\u003e\u003cstrong\u003eNginxProxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Plus or NGINX Open Source is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy\u00a0Custom Resource Definition (CRD) access log format setting are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these CRDs may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T20:04:44.518Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161785"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-50107",
"datePublished": "2026-06-17T20:04:44.518Z",
"dateReserved": "2026-06-17T16:35:56.336Z",
"dateUpdated": "2026-06-18T12:57:56.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11311 (GCVE-0-2026-11311)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-17 15:42 X_F5- CWE-76 - Improper Neutralization of Equvalent Special Elements
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161611 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Gateway Fabric |
Affected:
2.5.0 , < 2.6.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:42:03.715663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:42:37.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"Custom Resource Definitions"
],
"product": "NGINX Gateway Fabric",
"vendor": "F5",
"versions": [
{
"lessThan": "2.6.4",
"status": "affected",
"version": "2.5.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the \u003c/span\u003e\u003cstrong\u003eNginxProxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition \u003c/span\u003e\u003cstrong\u003eserverTokens\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;field and the \u003c/span\u003e\u003cstrong\u003eAuthenticationFilter\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;Custom Resource Definition \u003c/span\u003e\u003cstrong\u003eextraAuthArgs\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy\u00a0Custom Resource Definition serverTokens\u00a0field and the AuthenticationFilter\u00a0Custom Resource Definition extraAuthArgs\u00a0field are rendered directly into NGINX configuration templates without sanitization or escaping. An authenticated attacker with permission to create or modify these Custom Resource Definitions may craft values that inject arbitrary NGINX configuration directives. This is a control plane issue; there is no data plane exposure from the vulnerability trigger itself. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-76",
"description": "CWE-76 Improper Neutralization of Equvalent Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:33.197Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161611"
}
],
"source": {
"discovery": "INTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX Gateway Fabric vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-11311",
"datePublished": "2026-06-17T14:04:33.197Z",
"dateReserved": "2026-06-04T18:01:54.825Z",
"dateUpdated": "2026-06-17T15:42:37.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48142 (GCVE-0-2026-48142)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-17 15:42 X_F5- CWE-125 - Out-of-bounds Read
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161585 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.13.10 , < 1.31.2
(custom)
Affected: 1.30.0 , < 1.30.3 (custom) |
|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.2.1
(custom)
Affected: R36 , < R36 P6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:42:46.410409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:42:56.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.13.10",
"versionType": "custom"
},
{
"lessThan": "1.30.3",
"status": "affected",
"version": "1.30.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_charset_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.2.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P6",
"status": "affected",
"version": "R36",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges p4p3r of CYBERONE and Han Yan of Xiaomi for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_charset_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. When content is served or proxied through a location block with both \u003c/span\u003e\u003cstrong\u003esource_charset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;utf-8; and a \u003c/span\u003e\u003cstrong\u003echarset\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive (for example, \u003c/span\u003e\u003cstrong\u003echarset koi8-r\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module\u00a0module. When content is served or proxied through a location block with both source_charset\u00a0utf-8; and a charset\u00a0directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.856Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161585"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_charset_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-48142",
"datePublished": "2026-06-17T14:04:32.856Z",
"dateReserved": "2026-06-02T21:45:04.856Z",
"dateUpdated": "2026-06-17T15:42:56.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42055 (GCVE-0-2026-42055)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-30 12:08 X_F5| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161584 | vendor-advisory |
| https://access.redhat.com/security/cve/CVE-2026-42055 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489866 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:27197 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.13.10 , < 1.31.2
(custom)
Affected: 1.30.2 , < 1.30.3 (custom) |
|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.2.1
(custom)
Affected: R36 , < R36 P6 (custom) |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:57:46.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T14:04:32.520Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngx_http_proxy_v2_module or ngx_http_grpc_module with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart of the NGINX worker process and a Denial of Service (DoS). Under certain conditions, such as when Address Space Layout Randomization (ASLR) is disabled or bypassed, this vulnerability could also allow for arbitrary code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:43.973Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42055"
},
{
"name": "RHBZ#2489866",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489866"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42055.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27197"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27197: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T16:01:41.848Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T14:04:32.520Z",
"value": "Made public."
}
],
"title": "nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, ensure that the `ignore_invalid_headers` directive is set to `on` in your NGINX configuration, or reduce the size specified by the `large_client_header_buffers` directive to 2 megabytes or less. These changes require an NGINX service reload or restart to take effect. Reloading the NGINX service is generally safe, but a restart will briefly interrupt service."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.13.10",
"versionType": "custom"
},
{
"lessThan": "1.30.3",
"status": "affected",
"version": "1.30.2",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_proxy_v2_module",
"ngx_http_grpc_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.2.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P6",
"status": "affected",
"version": "R36",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Trung Nguyen (@everping) of CyStack, Feng Xue and XGPT of ThreatBook, Hcamael and \u7ae0\u9c7c\u54e5 of aipyapp, and Zhen Yan (AntAISecurityLab) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Plus and NGINX Open Source have a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_proxy_v2_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_grpc_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules. This vulnerability exists when the \u003c/span\u003e\u003cstrong\u003eproxy_http_version to 2\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003egrpc_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directives are used to proxy HTTP/2 traffic, the \u003c/span\u003e\u003cstrong\u003eignore_invalid_headers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is set to off, and the \u003c/span\u003e\u003cstrong\u003elarge_client_header_buffers\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module\u00a0and ngx_http_grpc_module\u00a0modules. This vulnerability exists when the proxy_http_version to 2\u00a0or grpc_pass\u00a0directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers\u00a0directive is set to off, and the large_client_header_buffers\u00a0directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.520Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161584"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42055",
"datePublished": "2026-06-17T14:04:32.520Z",
"dateReserved": "2026-06-02T21:45:04.818Z",
"dateUpdated": "2026-06-30T12:08:43.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42530 (GCVE-0-2026-42530)
Vulnerability from cvelistv5 – Published: 2026-06-17 14:04 – Updated: 2026-06-30 12:08 X_F5- CWE-416 - Use After Free
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161616 | vendor-advisory |
| https://access.redhat.com/security/cve/CVE-2026-42530 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2489872 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Open Source |
Affected:
1.31.0 , < 1.31.2
(custom)
|
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Lightspeed proxy 1 |
cpe:/a:redhat:insights_proxy:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T03:57:47.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat Lightspeed proxy 1",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-17T14:04:32.173Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the ngx_http_v3_module module of NGINX. When NGINX is configured to use the HTTP/3 QUIC module, an attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream and cause a use-after-free issue, potentially allowing code execution or a denial of service by forcing the process to restart."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:40.670Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-42530"
},
{
"name": "RHBZ#2489872",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489872"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42530.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-17T16:02:06.547Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-17T14:04:32.173Z",
"value": "Made public."
}
],
"title": "nginx: ngx_http_v3_module: use-after-free issue leads to denial of service",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, disable HTTP/3 by removing quic from all listen directives."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_v3_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.2",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Trung Nguyen (@everping) of CyStack, Zhenpeng (Leo) Lin (depthfirst), Evan Hellman (@xintenseapple) of Trail of Bits in collaboration with OpenAI, AntAISecurityLab, and Nebula Security (@nebusecurity) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-06-17T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX Open Source has a vulnerability in the \u003c/span\u003e\u003cstrong\u003engx_http_v3_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Open Source has a vulnerability in the ngx_http_v3_module\u00a0module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T14:04:32.173Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161616"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX Open-Source ngx_http_v3_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-42530",
"datePublished": "2026-06-17T14:04:32.173Z",
"dateReserved": "2026-06-02T21:45:04.719Z",
"dateUpdated": "2026-06-30T12:08:40.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49975 (GCVE-0-2026-49975)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:26 – Updated: 2026-06-30 03:20| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache HTTP Server |
Affected:
2.4.17 , ≤ 2.4.67
(semver)
|
|
| Red Hat | Red Hat JBoss Core Services on RHEL 7 Server |
cpe:/a:redhat:jboss_core_services:1::el7 |
|
| Red Hat | Red Hat JBoss Core Services on RHEL 8 |
cpe:/a:redhat:jboss_core_services:1::el8 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat JBoss Core Services 2.4.62.SP4 |
cpe:/a:redhat:jboss_core_services:1 |
|
| Red Hat | Red Hat OpenShift Service Mesh 2.6 |
cpe:/a:redhat:service_mesh:2.6::el9 |
|
| Red Hat | Red Hat JBoss Core Services |
cpe:/a:redhat:jboss_core_services:1 |
|
| Red Hat | Red Hat JBoss Web Server 5 |
cpe:/a:redhat:jboss_enterprise_web_server:5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-08T22:32:35.729Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49975",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T10:27:36.270403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T10:29:04.207Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/EQSTLab/CVE-2026-49975"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1::el7"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services on RHEL 7 Server",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1::el8"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services on RHEL 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Core Services 2.4.62.SP4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:service_mesh:2.6::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Service Mesh 2.6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_core_services:1"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Core Services",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jboss_enterprise_web_server:5"
],
"defaultStatus": "unaffected",
"product": "Red Hat JBoss Web Server 5",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:20:31.791Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-49975"
},
{
"name": "RHBZ#2485371",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485371"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27200"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25225"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25090"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25057"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25042"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27201"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:27114"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:27200: Red Hat JBoss Core Services on RHEL 7 Server, Red Hat JBoss Core Services on RHEL 8"
},
{
"lang": "en",
"value": "RHSA-2026:25225: Red Hat Enterprise Linux AppStream (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25090: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:25057: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:25042: Red Hat Hardened Images"
},
{
"lang": "en",
"value": "RHSA-2026:27201: Red Hat JBoss Core Services 2.4.62.SP4"
},
{
"lang": "en",
"value": "RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T06:04:44.009Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-03T00:00:00.000Z",
"value": "Made public."
}
],
"title": "httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack",
"workarounds": [
{
"lang": "en",
"value": "See the security bulletin for a detailed mitigation procedure."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.67",
"status": "affected",
"version": "2.4.17",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMemory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789 Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:26:04.674Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-26T12:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2026-05-27T12:00:00.000Z",
"value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"
},
{
"lang": "en",
"time": "2026-06-02T12:00:00.000Z",
"value": "fixed in 2.4.x by r1934882"
},
{
"lang": "eng",
"time": "2026-06-08T12:00:00.000Z",
"value": "2.4.68 released"
}
],
"title": "Apache HTTP Server: mod_http2 denial of service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-49975",
"datePublished": "2026-06-08T15:26:04.674Z",
"dateReserved": "2026-06-02T17:20:37.983Z",
"dateUpdated": "2026-06-30T03:20:31.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9256 (GCVE-0-2026-9256)
Vulnerability from cvelistv5 – Published: 2026-05-22 14:11 – Updated: 2026-06-30 12:10 X_F5- CWE-122 - Heap-based Buffer Overflow
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161377 | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| https://lists.debian.org/debian-lts-announce/2026… | |
| https://access.redhat.com/security/cve/CVE-2026-9256 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480746 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:29874 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28921 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28212 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:28973 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29151 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:33313 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:20351 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX Plus |
Affected:
37.0 , < 37.0.1.1
(custom)
Affected: R36 , < R36 P5 (custom) Affected: R32 , < R32 P7 (custom) |
|
| F5 | NGINX Open Source |
Affected:
1.31.0 , < 1.31.1
(custom)
Affected: 1.30.0 , < 1.30.2 (custom) Affected: 0.1.17 , ≤ 0.9.7 (custom) |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 8) |
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder (v. 9) |
cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Discovery 2 |
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat Hardened Images |
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Lightspeed proxy 1 |
cpe:/a:redhat:insights_proxy:1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T03:55:52.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-06-18T05:35:40.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/22/14"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00023.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1"
],
"defaultStatus": "affected",
"product": "Red Hat Lightspeed proxy 1",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-22T14:11:41.877Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the ngx_http_rewrite_module module of NGINX. When a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures and a replacement string that references multiple such captures in a redirect or arguments context, an unauthenticated attacker can send crafted HTTP requests and cause a heap-based buffer overflow in the worker process, potentially allowing code execution or a denial of service by forcing the process to restart."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:10:51.319Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9256"
},
{
"name": "RHBZ#2480746",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480746"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9256.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29874"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28921"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28212"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:28973"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29151"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:33313"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:20351"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:29874: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:28921: Red Hat Enterprise Linux AppStream (v. 8)"
},
{
"lang": "en",
"value": "RHSA-2026:28212: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:28973: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:29151: Red Hat Enterprise Linux AppStream (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:33313: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:20351: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T15:00:55.131Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-22T14:11:41.877Z",
"value": "Made public."
}
],
"title": "nginx: ngx_http_rewrite_module: code execution and denial of service",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this vulnerability, use named captures instead of unnamed captures in rewrite definitions.\n\nFor example, the following rewrite directive uses unnamed PCRE capture groups, $1 and $2:\n\n~~~\nrewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1\u0026tab=$2 last;\n~~~\n\nTo mitigate this vulnerability for this example, replace $1 and $2 with the appropriate named captures, $user_id and $section:\n\n~~~\nrewrite ^/users/(?\u003cuser_id\u003e[0-9]+)/profile/(?\u003csection\u003e.*)$ /profile.php?id=$user_id\u0026tab=$section last;\n~~~"
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Plus",
"vendor": "F5",
"versions": [
{
"lessThan": "37.0.1.1",
"status": "affected",
"version": "37.0",
"versionType": "custom"
},
{
"lessThan": "R36 P5",
"status": "affected",
"version": "R36",
"versionType": "custom"
},
{
"lessThan": "R32 P7",
"status": "affected",
"version": "R32",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"ngx_http_rewrite_module"
],
"product": "NGINX Open Source",
"vendor": "F5",
"versions": [
{
"lessThan": "1.31.1",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
},
{
"lessThan": "1.30.2",
"status": "affected",
"version": "1.30.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "0.9.7",
"status": "affected",
"version": "0.1.17",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-05-22T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T18:20:47.449Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161377"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX ngx_http_rewrite_module vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-9256",
"datePublished": "2026-05-22T14:11:41.877Z",
"dateReserved": "2026-05-21T20:58:58.484Z",
"dateUpdated": "2026-06-30T12:10:51.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8711 (GCVE-0-2026-8711)
Vulnerability from cvelistv5 – Published: 2026-05-19 14:04 – Updated: 2026-05-21 18:29 X_F5- CWE-122 - Heap-based Buffer Overflow
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000161307 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | NGINX JavaScript |
Affected:
0.9.4 , < 0.9.9
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T03:55:39.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ngx_http_js_module"
],
"product": "NGINX JavaScript",
"vendor": "F5",
"versions": [
{
"lessThan": "0.9.9",
"status": "affected",
"version": "0.9.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\"F5 acknowledges udolemi (S2W) for bringing this issue to our attention and following the highest standards of coordinated disclosure.\""
}
],
"datePublic": "2026-05-19T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNGINX JavaScript has a vulnerability when the \u003c/span\u003e\u003cstrong\u003ejs_fetch_proxy\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;directive is configured with at least one client-controlled NGINX variable (for example, \u003c/span\u003e\u003cstrong\u003e$http_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003e$arg_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, \u003c/span\u003e\u003cstrong\u003e$cookie_*\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.\u003c/span\u003e \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "NGINX JavaScript has a vulnerability when the js_fetch_proxy\u00a0directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T18:29:16.674Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K000161307"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_F5"
],
"title": "NGINX JavaScript vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-8711",
"datePublished": "2026-05-19T14:04:18.860Z",
"dateReserved": "2026-05-15T20:10:29.764Z",
"dateUpdated": "2026-05-21T18:29:16.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2026-AVI-0643
Vulnerability from certfr_avis - Published: 2026-05-26 - Updated: 2026-05-26
Une vulnérabilité a été découverte dans Nginx. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
L'éditeur indique que les versions 0.x de Nginx Open Source n'auront pas de correctifs
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NGINX Plus versions Rx ant\u00e9rieures \u00e0 R36 P5 ou R32 P7",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions 37.x ant\u00e9rieures \u00e0 37.0.1.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions post\u00e9rieures \u00e0 1.31.0 ant\u00e9rieures \u00e0 1.31.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 1.x ant\u00e9rieures \u00e0 1.30.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "L\u0027\u00e9diteur indique que les versions 0.x de Nginx Open Source n\u0027auront pas de correctifs",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-9256",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9256"
}
],
"initial_release_date": "2026-05-26T00:00:00",
"last_revision_date": "2026-05-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0643",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Nginx. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans Nginx",
"vendor_advisories": [
{
"published_at": "2026-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000161377",
"url": "https://my.f5.com/manage/s/article/K000161377"
}
]
}
CERTFR-2026-AVI-0619
Vulnerability from certfr_avis - Published: 2026-05-20 - Updated: 2026-05-20
Une vulnérabilité a été découverte dans F5 NGINX. Elle permet à un attaquant de provoquer une exécution de code arbitraire et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "NGINX JavaScript (njs) versions 0.9.4 \u00e0 0.9.8 ant\u00e9rieures \u00e0 0.9.9",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-8711",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8711"
}
],
"initial_release_date": "2026-05-20T00:00:00",
"last_revision_date": "2026-05-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0619",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans F5 NGINX. Elle permet \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire et un d\u00e9ni de service \u00e0 distance.",
"title": "Vuln\u00e9rabilit\u00e9 dans F5 NGINX",
"vendor_advisories": [
{
"published_at": "2026-05-19",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000161307",
"url": "https://my.f5.com/manage/s/article/K000161307"
}
]
}
CERTFR-2026-AVI-0591
Vulnerability from certfr_avis - Published: 2026-05-15 - Updated: 2026-05-15
De multiples vulnérabilités ont été découvertes dans les produits F5. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
| Vendor | Product | Description | ||
|---|---|---|---|---|
| F5 | N/A | BIG-IP APM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP DNS versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP | BIG-IP versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | BIG-IP Next | BIG-IP Next for Kubernetes versions 2.x antérieures à 2.2.0 | ||
| F5 | NGINX | F5 DoS for NGINX versions 4.8.0 | ||
| F5 | BIG-IP | BIG-IP versions 16.1.0 à 16.1.6 antérieures à 17.1.3 | ||
| F5 | N/A | BIG-IP DNS versions 17.5.0 à 17.5.1 antérieures à 21.0.0 | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 1.7.0 à 1.7.16 antérieures à 1.7.17 | ||
| F5 | BIG-IP | BIG-IP versions 21.0.x antérieures à 21.0.0.2 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 21.0.0 antérieures à 21.0.0.1 (SSL Orchestrator 13.1.3) | ||
| F5 | BIG-IP Next | BIG-IP Next SPK versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX Open Source versions 1.0.0 à 1.30.0 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 1.3.0 à 1.6.2 | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 2.0.0 à 2.0.2 antérieures à 2.0.3 | ||
| F5 | NGINX | NGINX App Protect DoS versions 4.3.0 à 4.7.0 | ||
| F5 | N/A | BIG-IP APM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX App Protect WAF versions 4.9.0 à 4.16.0 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 (SSL Orchestrator 12.3.2) | ||
| F5 | NGINX | NGINX Ingress Controller versions 5.0.0 à 5.4.2 | ||
| F5 | BIG-IP | BIG-IP versions 17.5.0 à 17.5.1 antérieures à 21.0.0.2 | ||
| F5 | NGINX | NGINX Ingress Controller versions 3.5.0 à 3.7.2 | ||
| F5 | NGINX | NGINX Open Source versions 0.3.50 à 0.9.7 antérieures à 1.30.1 | ||
| F5 | N/A | BIG-IP DNS versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | NGINX | NGINX Instance Manager versions 2.16.0 à 2.21.1 | ||
| F5 | N/A | BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R36 antérieures à R36 P4 | ||
| F5 | BIG-IQ | BIG-IQ Centralized Management versions 8.4.0 antérieures à 8.4.1 | ||
| F5 | N/A | BIG-IP SSL Orchestrator versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 (SSL Orchestrator 12.3.2) | ||
| F5 | BIG-IP Next | BIG-IP Next CNF versions 1.1.0 à 1.4.0 antérieures à 1.4.1 | ||
| F5 | NGINX | NGINX App Protect WAF versions 5.1.0 à 5.8.0 | ||
| F5 | NGINX | NGINX Gateway Fabric versions 2.0.0 à 2.6.0 | ||
| F5 | NGINX | NGINX Ingress Controller versions 4.0.0 à 4.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.1.0 à 17.1.3 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP APM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP DNS versions 16.1.0 à 16.1.6 antérieures à 17.1.3.1 | ||
| F5 | N/A | BIG-IP PEM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | N/A | BIG-IP Advanced WAF/ASM versions 21.0.x antérieures à 21.0.0.1 | ||
| F5 | N/A | BIG-IP PEM versions 17.5.0 à 17.5.1 antérieures à 17.5.1.4 | ||
| F5 | NGINX | NGINX Plus versions R32 antérieures à R32 P6 | ||
| F5 | NGINX | F5 WAF for NGINX versions 5.9.0 à 5.12.1 |
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "BIG-IP APM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next for Kubernetes versions 2.x ant\u00e9rieures \u00e0 2.2.0",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 DoS for NGINX versions 4.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 1.7.0 \u00e0 1.7.16 ant\u00e9rieures \u00e0 1.7.17",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 21.0.0 ant\u00e9rieures \u00e0 21.0.0.1 (SSL Orchestrator 13.1.3)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next SPK versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 1.0.0 \u00e0 1.30.0 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 1.3.0 \u00e0 1.6.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 2.0.0 \u00e0 2.0.2 ant\u00e9rieures \u00e0 2.0.3",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect DoS versions 4.3.0 \u00e0 4.7.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 4.9.0 \u00e0 4.16.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 5.0.0 \u00e0 5.4.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 21.0.0.2",
"product": {
"name": "BIG-IP",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 3.5.0 \u00e0 3.7.2",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Open Source versions 0.3.50 \u00e0 0.9.7 ant\u00e9rieures \u00e0 1.30.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Instance Manager versions 2.16.0 \u00e0 2.21.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP BIG-IP Advanced WAF/ASM and BIG-IP DDoS Hybrid Defender versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R36 ant\u00e9rieures \u00e0 R36 P4",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IQ Centralized Management versions 8.4.0 ant\u00e9rieures \u00e0 8.4.1",
"product": {
"name": "BIG-IQ",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP SSL Orchestrator versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4 (SSL Orchestrator 12.3.2)",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Next CNF versions 1.1.0 \u00e0 1.4.0 ant\u00e9rieures \u00e0 1.4.1",
"product": {
"name": "BIG-IP Next",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX App Protect WAF versions 5.1.0 \u00e0 5.8.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Gateway Fabric versions 2.0.0 \u00e0 2.6.0",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Ingress Controller versions 4.0.0 \u00e0 4.0.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.1.0 \u00e0 17.1.3 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP APM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP DNS versions 16.1.0 \u00e0 16.1.6 ant\u00e9rieures \u00e0 17.1.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP Advanced WAF/ASM versions 21.0.x ant\u00e9rieures \u00e0 21.0.0.1",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "BIG-IP PEM versions 17.5.0 \u00e0 17.5.1 ant\u00e9rieures \u00e0 17.5.1.4",
"product": {
"name": "N/A",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "NGINX Plus versions R32 ant\u00e9rieures \u00e0 R32 P6",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
},
{
"description": "F5 WAF for NGINX versions 5.9.0 \u00e0 5.12.1",
"product": {
"name": "NGINX",
"vendor": {
"name": "F5",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-41227",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41227"
},
{
"name": "CVE-2026-39458",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39458"
},
{
"name": "CVE-2026-42781",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42781"
},
{
"name": "CVE-2026-42780",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42780"
},
{
"name": "CVE-2026-40701",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40701"
},
{
"name": "CVE-2026-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42920"
},
{
"name": "CVE-2026-42409",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42409"
},
{
"name": "CVE-2026-42946",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42946"
},
{
"name": "CVE-2026-42937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42937"
},
{
"name": "CVE-2026-42919",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42919"
},
{
"name": "CVE-2026-42934",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42934"
},
{
"name": "CVE-2026-42406",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42406"
},
{
"name": "CVE-2026-40435",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40435"
},
{
"name": "CVE-2026-34176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34176"
},
{
"name": "CVE-2026-40629",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40629"
},
{
"name": "CVE-2026-32673",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32673"
},
{
"name": "CVE-2026-41953",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41953"
},
{
"name": "CVE-2026-40061",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40061"
},
{
"name": "CVE-2026-42924",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42924"
},
{
"name": "CVE-2026-41225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41225"
},
{
"name": "CVE-2026-35062",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35062"
},
{
"name": "CVE-2026-40423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40423"
},
{
"name": "CVE-2026-34019",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34019"
},
{
"name": "CVE-2026-42926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42926"
},
{
"name": "CVE-2026-20916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-20916"
},
{
"name": "CVE-2026-41957",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41957"
},
{
"name": "CVE-2026-39455",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39455"
},
{
"name": "CVE-2026-40618",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40618"
},
{
"name": "CVE-2026-40631",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40631"
},
{
"name": "CVE-2026-32643",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32643"
},
{
"name": "CVE-2026-41217",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41217"
},
{
"name": "CVE-2026-40698",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40698"
},
{
"name": "CVE-2026-39459",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39459"
},
{
"name": "CVE-2026-40703",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40703"
},
{
"name": "CVE-2026-28758",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28758"
},
{
"name": "CVE-2026-41954",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41954"
},
{
"name": "CVE-2026-40699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40699"
},
{
"name": "CVE-2026-40462",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40462"
},
{
"name": "CVE-2026-41219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41219"
},
{
"name": "CVE-2026-24464",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24464"
},
{
"name": "CVE-2026-40067",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40067"
},
{
"name": "CVE-2026-42063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42063"
},
{
"name": "CVE-2026-42408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42408"
},
{
"name": "CVE-2026-40060",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40060"
},
{
"name": "CVE-2026-42945",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42945"
},
{
"name": "CVE-2026-41956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41956"
},
{
"name": "CVE-2026-41218",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41218"
},
{
"name": "CVE-2026-41959",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41959"
},
{
"name": "CVE-2026-42930",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42930"
},
{
"name": "CVE-2026-40460",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40460"
},
{
"name": "CVE-2026-42058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-42058"
}
],
"initial_release_date": "2026-05-15T00:00:00",
"last_revision_date": "2026-05-15T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0591",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-15T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits F5. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits F5",
"vendor_advisories": [
{
"published_at": "2026-05-13",
"title": "Bulletin de s\u00e9curit\u00e9 F5 K000160932",
"url": "https://my.f5.com/manage/s/article/K000160932"
}
]
}