F5 security patch release for CVE-2026-42945
Security Patch Release
Summary
Hide ▲
Show ▼
F5 released security fixes for NGINX Plus and NGINX Open Source after disclosing multiple vulnerabilities, including CVE-2026-42945. The patch release covers impacted NGINX product lines and version ranges, including NGINX Plus R32-R36 and NGINX Open Source 1.0.0-1.30.0, reducing exposure to unauthenticated crafted-request attacks that can cause RCE or DoS. F5 also provided a temporary configuration workaround for environments that cannot patch immediately.
Related Happenings
Ivanti security patch release for CVE-2026-8043
Security Patch Release
First: 18.05.2026 13:54
Last: 18.05.2026 13:54
Sources 1
About this happening:
**Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Ivanti security patch release for CVE-2026-8043
Security Patch ReleaseAbout this happening: **Ivanti, Fortinet, SAP, Broadcom, and n8n** released **security fixes** on **2026-05-18** for flaws that could enable **authentication bypass**, **remote code execution**, **SQL...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
How related:
For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationHow related: For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.
About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
Linux distros patch release for Fragnasia (CVE-2026-46300)
Security Patch Release
First: 14.05.2026 10:34
Last: 14.05.2026 10:34
Sources 1
About this happening:
Linux distros are rolling out **patches** for **CVE-2026-46300**, a high-severity kernel flaw that can let unprivileged local attackers gain **root** on vulnerable Linux systems....
Linux distros patch release for Fragnasia (CVE-2026-46300)
Security Patch ReleaseAbout this happening: Linux distros are rolling out **patches** for **CVE-2026-46300**, a high-severity kernel flaw that can let unprivileged local attackers gain **root** on vulnerable Linux systems....
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch Release
First: 11.05.2026 17:30
Last: 11.05.2026 17:30
Sources 1
About this happening:
**Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)
Security Patch ReleaseAbout this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...
Timeline
-
17.05.2026 14:57 1 articles · 10d ago
VulnCheck reports active exploitation of CVE-2026-42945 in NGINX
Exploitation ObservedVulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
Show sources
- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE — thehackernews.com — 17.05.2026 14:57
-
14.05.2026 09:00 1 articles · 13d ago
Responsible disclosure of NGINX vulnerabilities to F5
Initial DisclosureOn April 21, 2026, researchers responsibly disclosed multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source to F5, including CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module later codenamed NGINX Rift that can enable remote code execution or denial of service through crafted requests.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00
-
14.05.2026 09:00 1 articles · 13d ago
F5 releases NGINX security fixes and workaround guidance
Mitigation Patch UpdateOn May 14, 2026, F5 released advisory guidance and fixed versions for NGINX Plus, NGINX Open Source, and related NGINX products, including NGINX Plus R32 P6 and R36 P4, NGINX Open Source 1.30.1 and 1.31.0, and a workaround for CVE-2026-42945 that replaces unnamed captures with named captures in affected rewrite directives.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00