F5 issues out-of-band patches for critical NGINX flaw CVE-2026-42533 and other NGINX, Ingress Controller, and BIG-IP bugs

F5 released emergency security updates for NGINX and BIG-IP products, including a critical bug that can let specially crafted web requests crash or potentially compromise affected servers. The most severe issue, CVE-2026-42533, affects NGINX Plus and NGINX Open Source and can cause a heap buffer overflow; code execution is possible if Address Space Layout Randomization (ASLR) is disabled. F5 also fixed high-severity flaws in ngx_http_slice_module, ngx_http_ssi_module, NGINX Ingress Controller, and BIG-IP, including bugs that can leak memory, modify configuration, delete files, disable services, or cause denial of service.
Why it matters: Organizations running F5 NGINX, NGINX Ingress Controller, or BIG-IP should treat this as urgent because internet-facing systems could be crashed, manipulated, or in some setups remotely compromised. Apply F5's out-of-band updates promptly and review exposed NGINX and BIG-IP deployments, especially those handling public HTTP or HTTP/2 traffic.

Sources

F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
Ionut Arghire 2026.07.16 100% relevant
This article establishes a distinct patch event: F5's out-of-band July 16, 2026 release for multiple NGINX, NGINX Ingress Controller, and BIG-IP vulnerabilities centered on CVE-2026-42533.
← Back to all stories