Heap Buffer Overflow in NGINX JavaScript due to Improper Configuration
CVE-2026-8711

9.2CRITICAL

Key Information:

Vendor: F5
Status: Nginx Javascript
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8711?

The NGINX JavaScript component is susceptible to a heap buffer overflow when the js_fetch_proxy directive uses client-controlled variables, such as $http_, $arg_, or $cookie_*. An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests that invoke the ngx.fetch() operation. This could lead to instability in the NGINX worker process, resulting in a restart. Additionally, if Address Space Layout Randomization (ASLR) is not enabled, the issue could allow for arbitrary code execution, posing serious security risks.

Affected Version(s)

NGINX JavaScript 0.9.4 < 0.9.9

References

https://my.f5.com/manage/s/article/K000161307

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 15, 2026

Credit

"F5 acknowledges udolemi (S2W) for bringing this issue to our attention and following the highest standards of coordinated disclosure."

CVE-2026-8711 Data

JSON