AI Security · CVE-2026-42533

Sixteen Researchers Found the Same NGINX Bug at Once

F5 patched a critical heap overflow in NGINX's map and regex path, CVE-2026-42533, and credited about sixteen researchers who each found it independently. That is what open-source review looks like now that AI has lowered the barrier. The bug, who is exposed, and how Caver detects it.

Matt Lucas  |  July 15, 2026  |  6 min
A cracked brick wall studied by many magnifying glasses, editorial illustration
CVEs in this postCVE-2026-42533CVE-2026-42945CVE-2026-9256Live detections →All RedEye CVEs →
9.2
CVSS v4.0, Critical
~16
Independent finders credited
0.9.6–1.31.2
NGINX Open Source affected
1.30.4 / 1.31.3
Fixed builds (Jul 15)
TL;DR
  • What: a heap buffer overflow (CWE-122) in NGINX Plus and NGINX Open Source, reachable when a map directive uses regex matching and a string expression references the map's regex capture variables before the map output variable (or a non-cacheable variable in a string expression under certain conditions). An unauthenticated attacker triggers it with crafted HTTP requests.
  • Impact: the NGINX worker process crashes and respawns (denial of service), and code execution is possible where ASLR is disabled or bypassable. CVSS v4.0 9.2 Critical (v3.1 8.1 High).
  • Scope: NGINX Open Source 0.9.6 through 1.31.2, fixed in 1.30.4 (stable) and 1.31.3 (mainline), both released 2026-07-15. NGINX Plus is affected per NVD (R36 before R36 P7, R33 and earlier).
  • The story: F5 credited about sixteen researchers who independently reported the same bug, several of them AI-security shops. No public exploit or in-the-wild activity for this CVE at disclosure, but patch on the assumption that changes fast.

The bug

The vulnerable pattern is specific. NGINX's map directive can key on a regular expression, and when it does, the regex can expose capture groups ($1, named captures) to later parts of the configuration. The overflow happens when a string expression references one of those regex capture variables before it references the map's own output variable, or when a non-cacheable variable is used in a string expression under certain conditions. In that ordering, NGINX mishandles the heap allocation backing the value, and a crafted request can overflow it inside the worker process.

The immediate result is a worker crash and automatic respawn, which at volume is a denial of service. The more serious ceiling is code execution: F5's advisory notes it is achievable on systems where Address Space Layout Randomization is disabled, or where the attacker can bypass ASLR. The attack is unauthenticated and delivered over ordinary HTTP, which is why it lands at CVSS 9.2 despite a high attack complexity: it needs the specific config and a groomable heap, not a foothold.

Who is exposed

Two things have to be true. First, you are running an affected build: NGINX Open Source from 0.9.6 up to and including 1.31.2, or an affected NGINX Plus release. Second, and this is the real gate, your configuration uses a regex map whose captures are referenced ahead of the map output in a downstream string expression, a log format, a proxied header, a set, or a chained map. Regex maps are common; that exact ordering is a narrower slice, so this is not universal, but it is also not exotic.

What to do

Upgrade to NGINX 1.30.4 or 1.31.3 (or NGINX Plus R36 P7). If you cannot patch immediately, audit your map blocks: find any that use regex keys and reorder or remove string expressions that reference a capture variable before the map's output variable. Leaving ASLR enabled does not fix the bug but caps the worst case at denial of service by blocking the code-execution path.

Sixteen finders, one bug

The detail worth pausing on is in the acknowledgments. F5 credited roughly sixteen researchers and teams who independently reported this same flaw, and several are AI-focused security shops. That is not a coincidence, it is the new baseline. AI-assisted source review has made deep reading of large open-source codebases cheap enough that many people now run the same passes over the same high-value targets at the same time, and they surface the same bug within days of each other.

This quietly breaks an assumption behind coordinated disclosure. The 90-day clock was designed for a world where a bug had one finder, or a few, who could hold it quietly while a vendor shipped a fix. When a dozen-plus independent parties are sitting on the same finding, the probability that it stays private, or that a proof of concept stays unpublished, drops fast. For defenders the takeaway is blunt: treat "independently reported by many" as a countdown, not a comfort. Patch as if the exploit is already written, because with that many finders it very likely soon will be.

Do not conflate the NGINX CVEs

This is CVE-2026-42533, the map/regex heap overflow. It is distinct from CVE-2026-42945 (the ngx_http_rewrite_module bug that has seen public PoC and exploitation) and from CVE-2026-9256. As of disclosure there is no public exploit or in-the-wild activity specific to 42533. Report and prioritize them separately.

How Caver detects it

There is no published exploit signature for 42533, so detection is behavioral and layered rather than a single payload match:

Caver ships a Sigma detection for CVE-2026-42533 in the RedEye Intel Feed built on exactly that crash-loop logic, correlating worker segfault/respawn events per host over a short window. It is the same principle behind every detection we publish: we write about the bug, and we ship the rule that catches its exploitation.

The RedEye take

CVE-2026-42533 is a clean example of the moment we are in. The bug itself is a textbook heap overflow in one of the most deployed pieces of software on the internet, serious, but the kind of thing that gets patched every year. What is new is the shape of its discovery: sixteen independent finders, several of them machines pointed at source code, converging on one flaw at once. That compresses the safe window between disclosure and exploitation to almost nothing, and it rewards teams who patch on disclosure and detect in depth over teams who wait for a PoC to appear. Patch to 1.30.4 or 1.31.3, audit your regex maps, and watch your workers for crashes. The clock on this class of bug is only getting shorter.

See the detection, and the platform behind it

Caver ships the CVE-2026-42533 detection in the RedEye Intel Feed and runs it against your logs. It is our Splunk-compatible SIEM on an open lakehouse: cheaper storage, faster queries, and you own your data. The same platform powers our threat-intelligence feeds and our exposure scanner.

Caver at getcaver.com

Sources

NVD, CVE-2026-42533 (CVSS v4.0 9.2, CWE-122). nvd.nist.gov. F5 Security Advisory K000162097, "NGINX map directive and regex matching vulnerability." my.f5.com. NGINX security advisories and 2026 changelog (affected 0.9.6 to 1.31.2; fixed 1.30.4 / 1.31.3). nginx.org.