CVE-2026-60005
F5 · NGINX Plus / NGINX Open Source
A vulnerability in the ngx_http_slice_module of NGINX Plus and NGINX Open Source allows for potential denial of service due to the use of uninitialized resources.
Executive summary
A high-severity memory-related vulnerability in the NGINX ngx_http_slice_module can be exploited by unauthenticated attackers to cause a denial of service.
Vulnerability
This vulnerability resides in the ngx_http_slice_module and involves the use of uninitialized resources. An unauthenticated attacker can trigger this condition, leading to service instability and potential crashes, effectively causing a denial of service for the affected NGINX instance.
Business impact
The CVSS score of 8.2 reflects the high impact on service availability. Because this vulnerability can be exploited by unauthenticated remote attackers, it poses a direct threat to the uptime of web services relying on the affected NGINX modules, which could result in significant business disruption and revenue loss.
Remediation
Immediate Action: Upgrade NGINX Plus or NGINX Open Source to the patched versions identified in the vendor security advisory.
Proactive Monitoring: Monitor NGINX error logs for recurring process crashes or segmentation faults that may indicate an exploitation attempt.
Compensating Controls: If immediate patching is not feasible, consider disabling the ngx_http_slice_module if it is not required for your specific application delivery needs.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for denial of service and the ease of exploitation by unauthenticated actors, this update should be treated as a high-priority task. Ensure all NGINX deployments are audited and updated to the latest secure versions as soon as possible.