Find notable cyber news and cases, enriched with sources, timelines, and signals.

F5 security patch release for CVE-2026-42945

Security Patch Release
First reported
Last updated
Happening score
H score 25
1 unique sources, 2 articles

Summary

Hide ▲

F5 released security fixes for NGINX Plus and NGINX Open Source after disclosing multiple vulnerabilities, including CVE-2026-42945. The patch release covers impacted NGINX product lines and version ranges, including NGINX Plus R32-R36 and NGINX Open Source 1.0.0-1.30.0, reducing exposure to unauthenticated crafted-request attacks that can cause RCE or DoS. F5 also provided a temporary configuration workaround for environments that cannot patch immediately.

Related Happenings

F5 security patch release for CVE-2026-42530

Security Patch Release
H score39 First: 18.06.2026 20:32 Last: 18.06.2026 20:32 Sources 1

About this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
H score34 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **F5** released **out-of-band security updates** for **NGINX** after finding multiple web server vulnerabilities, including **two critical flaws** that could enable **remote code...

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

Ivanti security patch release for CVE-2026-8043

Security Patch Release
H score25 First: 18.05.2026 13:54 Last: 18.05.2026 13:54 Sources 1

About this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...

Timeline

  1. 17.05.2026 14:57 1 articles · 1mo ago

    VulnCheck reports active exploitation of CVE-2026-42945 in NGINX

    Exploitation Observed

    VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

    Show sources
  2. 14.05.2026 09:00 1 articles · 1mo ago

    Responsible disclosure of NGINX vulnerabilities to F5

    Initial Disclosure

    On April 21, 2026, researchers responsibly disclosed multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source to F5, including CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module later codenamed NGINX Rift that can enable remote code execution or denial of service through crafted requests.

    Show sources
  3. 14.05.2026 09:00 1 articles · 1mo ago

    F5 releases NGINX security fixes and workaround guidance

    Mitigation Patch Update

    On May 14, 2026, F5 released advisory guidance and fixed versions for NGINX Plus, NGINX Open Source, and related NGINX products, including NGINX Plus R32 P6 and R36 P4, NGINX Open Source 1.30.1 and 1.31.0, and a workaround for CVE-2026-42945 that replaces unnamed captures with named captures in affected rewrite directives.

    Show sources