Heap Buffer Overflow in NGINX Plus and Open Source during Regex Mapping
CVE-2026-42533

9.2CRITICAL

Key Information:

Vendor

F5

Vendor
CVE Published:
15 July 2026

What is CVE-2026-42533?

A vulnerability in NGINX Plus and NGINX Open Source arises when a map directive improperly utilizes regex matching in conjunction with string expressions referencing the map’s regex capture variables before the map output variable, or when non-cacheable variables are used under specific conditions. Unauthenticated attackers can exploit this vulnerability by sending specially crafted HTTP requests, potentially leading to a heap buffer overflow within the NGINX worker process. This may result in service interruptions or allow code execution if Address Space Layout Randomization (ASLR) is disabled or can be bypassed.

Affected Version(s)

NGINX Open Source 1.31.2 < 1.31.3

NGINX Open Source 0.9.6 < 1.30.4

NGINX Plus 37.0.0.1 < 37.0.3.1

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5 acknowledges Security Researchers Ming Xuan of AntAISecurityLab, DKD(@pidifn) of AntAISecurityLab, Rafael Gacek, Ji'an Zhou (AntAISecurityLab), Zhen Yan (AntAISecurityLab), Sergii Negodiuk of EVO.company, Lam Jun Rong of Calif.io, Mufeed VH of Winfunc Research (winfunc.com), Vexera AI (https://vexera.ai), Tu Tran Dinh (@1w4y), Stan Shaw (cyberstan), qianshuidewajueji, zenneth (randomguy6407), "Zhenpeng (Leo) Lin" from "depthfirst", Lukas Johannes Moeller, and Milan Jovic (Kljunowsky) for independently bringing this issue to our attention and following the highest standards of coordinated disclosure.
.