F5 Releases Security Updates for NGINX Vulnerability CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability that could force a restart or allow code execution if exploited
Summary
NGINX Plus and NGINX Open Source have a vulnerability that could force a restart or allow code execution if exploited
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
- NGINX Instance Manager - 2.x
- F5 WAF for NGINX - 5.x
- NGINX App Protect WAF - 5.x
- F5 DoS for NGINX - 4.x
- NGINX App Protect DoS - 4.x
- NGINX Gateway Fabric - 2.x and 1.x
- NGINX Ingress Controller - 5.x, 4.x, and 3.x
F5 also list the following version as being affected but it will not have a fixed version released:
- NGINX Open Source - 0.x
Note: Other software versions which have reached End of Technical Support (EoTS) are not evaluated.
Note: Products from other vendors that include the base NGINX Plus or NGINX Open Source software components may also be affected
Threat details
Proof-of-concept released for CVE-2026-42945
A proof-of-concept has been released for the vulnerability CVE-2026-42945. Exploitation is considered more likely.
Introduction
F5 has released a security advisory for a vulnerability for F5 NGINX products, including NGINX Plus (branch Rx) and NGINX Open Source (branch 1.x).
Successful exploitation by an unauthenticated, remote attacker could cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomisation (ASLR) disabled, code execution is possible.
- CVE-2026-42945 - Heap-based Buffer Overflow vulnerability with a CVSSv4 base score of 9.2
Remediation advice
Affected organisations are strongly encouraged to review F5's security advisory K000161019: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 and apply any relevant updates or mitigation.
Definitive source of threat updates
Last edited: 14 May 2026 3:19 pm