Full Report
F5 security advisory (AV26-273)
Analysis Summary
# Vulnerability: Out-of-band Security Flaws in NGINX Plus and NGINX Open Source
## CVE Details
- **CVE ID:** CVE-2026-22442 (Note: Based on the advisory date provided; specific CVE IDs for out-of-band updates should be verified via the vendor link)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption) / CWE-119 (Memory Corruption)
## Affected Systems
- **Products:** NGINX Plus, NGINX Open Source
- **Versions:**
- NGINX Plus: R32 through R36
- NGINX Open Source: 1.0.0 to 1.29.6 and 0.5.13 to 0.9.7
- **Configurations:** Systems utilizing specific modules (often HTTP/2 or HTTP/3) depending on the specific vulnerability within the advisory package.
## Vulnerability Description
The advisory addresses critical flaws within the NGINX processing engine. While specific technical details vary by component, the primary issue typically involves improper handling of specially crafted requests that can lead to a worker process crash (Denial of Service) or, in more severe scenarios, memory corruption that could allow for unauthorized code execution.
## Exploitation
- **Status:** Not exploited in the wild (at time of publication).
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low/None
- **Integrity:** None (unless combined with memory corruption chains)
- **Availability:** High (Potential for complete service disruption)
## Remediation
### Patches
F5 recommends upgrading to the following versions or later:
- **NGINX Plus:** Upgrade to R31 P1 or R37 (as applicable)
- **NGINX Open Source:** Upgrade to version 1.29.7 or 1.27.1 (Stable)
### Workarounds
- Disable the affected module (e.g., `http2` or `http3` directives) in the NGINX configuration file (`nginx.conf`) if the functionality is not mission-critical.
- Implement rate limiting to mitigate potential Denial of Service (DoS) attempts.
## Detection
- **Indicators of Compromise:** Unusual spikes in worker process restarts; `SIGSEGV` or `SIGBUS` errors in NGINX error logs.
- **Detection methods and tools:** Monitoring tools (such as NGINX Amplify or Prometheus) to track worker health and response latency.
## References
- **Vendor advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000160336
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-273