F5 on Wednesday introduced fixes for over 19 high-severity and 32 medium-severity vulnerabilities impacting BIG-IP, BIG-IQ, and NGINX.
Based mostly on the CVSS rating, essentially the most extreme of the resolved points is CVE-2026-42945 (CVSS v4.0 rating of 9.2), a denial-of-service (DoS) situation in NGINX’s ngx_http_rewrite_module module.
The bug permits an unauthenticated attacker to ship crafted HTTP requests that, mixed with sure circumstances past the attacker’s management, might set off a heap buffer overflow and a restart. If Deal with House Format Randomization (ASLR) is disabled, the flaw could be exploited for code execution.
Subsequent in line is CVE-2026-41225 (CVSS v4.0 rating of 8.6), a weak point in iControl REST that would permit an authenticated attacker who has at the very least Supervisor permissions to create configuration objects, resulting in command execution.
“This vulnerability might permit a extremely privileged attacker with community entry to the affected iControl REST endpoint by the BIG-IP administration port or self IP addresses to escalate their privileges or bypass Equipment mode restrictions. In equipment mode deployments, a profitable exploit can permit the attacker to cross a security boundary. There is no such thing as a knowledge aircraft publicity; this can be a management aircraft subject solely,” F5 explains.
On Wednesday, the corporate additionally introduced fixes for high-severity distant code execution (RCE) and distant command injection vulnerabilities (CVE-2026-41957, CVE-2026-34176, CVE-2026-39459) in BIG-IP that require authentication.
Of the remaining high-severity flaws, one can result in restriction bypass, one other to arbitrary file tampering, and 12 to denial-of-service (DoS) circumstances, primarily by inflicting the Site visitors Administration Microkernel (TMM) to terminate.
The medium-severity points that F5 addressed this week might result in security safety bypass, privilege escalation, data disclosure, arbitrary system command execution, DoS circumstances, code injection, and arbitrary native file tampering.
None of those vulnerabilities seems to have been exploited within the wild. Further data could be present in F5’s quarterly security notification.
