CVE-2026-42533 PUBLISHED

NGINX Map directive and Regex matching vulnerability

Assigner: f5
Reserved: 05.05.2026 Published: 15.07.2026 Updated: 15.07.2026

A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor F5
Product NGINX Plus
Versions Default: unknown
  • affected from 37.0.0.1 to 37.0.3.1 (excl.)
  • affected from R36 to R36 P7 (excl.)
  • affected from R33 to * (excl.)
Vendor F5
Product NGINX Open Source
Versions Default: unknown
  • affected from 1.31.2 to 1.31.3 (excl.)
  • affected from 0.9.6 to 1.30.4 (excl.)

Credits

  • F5 acknowledges Security Researchers Ming Xuan of AntAISecurityLab, DKD(@pidifn) of AntAISecurityLab, Rafael Gacek, Ji'an Zhou (AntAISecurityLab), Zhen Yan (AntAISecurityLab), Sergii Negodiuk of EVO.company, Lam Jun Rong of Calif.io, Mufeed VH of Winfunc Research (winfunc.com), Vexera AI (https://vexera.ai), Tu Tran Dinh (@1w4y), Stan Shaw (cyberstan), qianshuidewajueji, zenneth (randomguy6407), "Zhenpeng (Leo) Lin" from "depthfirst", Lukas Johannes Moeller, and Milan Jovic (Kljunowsky) for independently bringing this issue to our attention and following the highest standards of coordinated disclosure. reporter

References

Problem Types

  • CWE-122 Heap-based Buffer Overflow CWE