🔐 CVE Alert

CVE-2026-42533

HIGH 8.1

NGINX Map directive and Regex matching vulnerability

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE CWE-122
Vendor f5
Product nginx plus
Published Jul 15, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for f5 nginx plus

Be the first to know when new high vulnerabilities affecting f5 nginx plus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

F5 / NGINX Plus
37.0.0.1 < 37.0.3.1 R36 < R36 P7 R33 < *
F5 / NGINX Open Source
1.31.2 < 1.31.3 0.9.6 < 1.30.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗
my.f5.com: https://my.f5.com/manage/s/article/K000162097

Credits

🔍 F5 acknowledges Ming Xuan, DKD (@pidifn), Ji'an Zhou, and Zhen Yan of AntAISecurityLab, Rafael Gacek, Sergii Negodiuk of EVO.company, Lam Jun Rong of Calif.io, Mufeed VH of Winfunc Research (winfunc.com), Vexera AI (https://vexera.ai), Tu Tran Dinh (@1w4y), Stan Shaw (cyberstan), qianshuidewajueji, zenneth (randomguy6407), Zhenpeng (Leo) Lin of depthfirst, Lukas Johannes Moeller, Melih Tolga Sahin of Vodafone Türkiye, Ayoub Nabil Boubagrat (GitHub: @ayoubnabil), and Milan Jovic (Kljunowsky) for independently bringing this issue to our attention and following the highest standards of coordinated disclosure.