F5 released emergency security updates for NGINX and BIG-IP products, including a critical bug that can let specially crafted web requests crash or potentially compromise affected servers. The most severe issue, CVE-2026-42533, affects NGINX Plus and NGINX Open Source and can cause a heap buffer overflow; code execution is possible if Address Space Layout Randomization (ASLR) is disabled. F5 also fixed high-severity flaws in ngx_http_slice_module, ngx_http_ssi_module, NGINX Ingress Controller, and BIG-IP, including bugs that can leak memory, modify configuration, delete files, disable services, or cause denial of service.
Why it matters: Organizations running F5 NGINX, NGINX Ingress Controller, or BIG-IP should treat this as urgent because internet-facing systems could be crashed, manipulated, or in some setups remotely compromised. Apply F5's out-of-band updates promptly and review exposed NGINX and BIG-IP deployments, especially those handling public HTTP or HTTP/2 traffic.
Ionut Arghire
2026.07.16
100% relevant
This article establishes a distinct patch event: F5's out-of-band July 16, 2026 release for multiple NGINX, NGINX Ingress Controller, and BIG-IP vulnerabilities centered on CVE-2026-42533.
← Back to all stories