F5 security patch release for CVE-2026-42945
Security Patch Release
Summary
Hide ▲
Show ▼
F5 released security fixes for NGINX Plus and NGINX Open Source after disclosing multiple vulnerabilities, including CVE-2026-42945. The patch release covers impacted NGINX product lines and version ranges, including NGINX Plus R32-R36 and NGINX Open Source 1.0.0-1.30.0, reducing exposure to unauthenticated crafted-request attacks that can cause RCE or DoS. F5 also provided a temporary configuration workaround for environments that cannot patch immediately.
Related Happenings
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch Release
H score34
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseAbout this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
Ivanti security patch release for CVE-2026-8043
Security Patch Release
H score25
First: 18.05.2026 13:54
Last: 18.05.2026 13:54
Sources 1
About this happening:
**Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Ivanti security patch release for CVE-2026-8043
Security Patch ReleaseAbout this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Timeline
-
17.05.2026 14:57 1 articles · 1mo ago
VulnCheck reports active exploitation of CVE-2026-42945 in NGINX
Exploitation ObservedVulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
Show sources
- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE — thehackernews.com — 17.05.2026 14:57
-
14.05.2026 09:00 1 articles · 1mo ago
Responsible disclosure of NGINX vulnerabilities to F5
Initial DisclosureOn April 21, 2026, researchers responsibly disclosed multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source to F5, including CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module later codenamed NGINX Rift that can enable remote code execution or denial of service through crafted requests.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00
-
14.05.2026 09:00 1 articles · 1mo ago
F5 releases NGINX security fixes and workaround guidance
Mitigation Patch UpdateOn May 14, 2026, F5 released advisory guidance and fixed versions for NGINX Plus, NGINX Open Source, and related NGINX products, including NGINX Plus R32 P6 and R36 P4, NGINX Open Source 1.30.1 and 1.31.0, and a workaround for CVE-2026-42945 that replaces unnamed captures with named captures in affected rewrite directives.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00