Full Report
F5 security advisory (AV26-485)
Analysis Summary
# Vulnerability: NGINX JavaScript (njs) Memory Corruption
## CVE Details
- **CVE ID:** CVE-2026-8711
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) / CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** NGINX JavaScript (njs) / `ngx_http_js_module`
- **Versions:** 0.9.4 through 0.9.8
- **Configurations:** Systems utilizing the `ngx_http_js_module` or `ngx_stream_js_module` to execute JavaScript code within NGINX.
## Vulnerability Description
A critical heap-based buffer overflow vulnerability exists in the NGINX JavaScript (njs) module. The flaw occurs during the processing of specifically crafted JavaScript code or input. Because the module does not properly validate the length of data before copying it into an allocated buffer, an attacker can overwrite adjacent memory. This can lead to a crash (Denial of Service) or, more severely, arbitrary code execution within the context of the NGINX worker process.
## Exploitation
- **Status:** Not exploited in the wild (as of advisory date); PoC status: Internal/Private.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Potential for memory disclosure or data theft)
- **Integrity:** High (Potential for unauthorized modification of system state or files)
- **Availability:** High (Process crashes leading to service disruption)
## Remediation
### Patches
F5 recommends upgrading to the following versions or later:
- **NGINX JavaScript (njs):** Version 0.10.0 or higher.
- Users of F5 NGINX Plus should update to the latest maintenance release (R31 P1 or R32 as applicable, depending on the bundled module version).
### Workarounds
- **Disable njs:** If the JavaScript module is not critical to operations, disable it by removing the `load_module` directive for `ngx_http_js_module.so` or `ngx_stream_js_module.so` from the `nginx.conf` file.
- **Input Validation:** Implement strict input validation at the application layer to prevent malicious data from reaching the njs engine.
## Detection
- **Indicators of Compromise:** Unusual NGINX worker process crashes (Segmentation Faults) logged in the NGINX error logs.
- **Detection methods and tools:** Monitor for unexpected memory usage spikes or core dumps. Security teams can use static analysis tools to scan custom njs scripts for unsafe memory operations.
## References
- F5 Security Advisory: hxxps[://]my[.]f5[.]com/manage/s/article/K000161307
- Canadian Centre for Cyber Security: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-485