Full Report
F5 security advisory (AV26-612)
Analysis Summary
# Vulnerability: F5 NGINX Product Suite Security Updates (June 2026)
## CVE Details
*Note: The primary source (AV26-612) refers to an "Out-of-band Security Notification" (K000161614) which typically aggregates multiple CVEs. Specific CVE IDs are often detailed within the individual sub-advisories on the MyF5 portal.*
- **CVE ID:** [Pending/Multiple - Refer to K000161614]
- **CVSS Score:** Variable (High Severity indicated by Out-of-band classification)
- **CWE:** Not specified in the summary advisory.
## Affected Systems
- **Products & Versions:**
- **F5 DoS for NGINX:** Version 4.9.0
- **F5 WAF for NGINX Instance Manager:** Versions 5.9.0 to 5.13.1
- **NGINX App Protect DoS:** Versions 4.3.0 to 4.7.0
- **NGINX App Protect WAF:** Versions 5.2.0 to 5.8.0 and 4.10.0 to 4.16.0
- **NGINX Open Source:** Versions 1.30.0 to 1.30.2 and 1.31.0 to 1.31.1
- **NGINX Instance Manager:** Versions 2.17.0 to 2.22.0
- **NGINX Plus:** Versions 37.0.0 R33 to 37.01 R36
- **NGINX Gateway Fabric:** Multiple versions (Check specific branch)
- **NGINX Ingress Controller:** Multiple versions
- **Configurations:** Systems running the above software versions in production environments, particularly those acting as web application firewalls (WAF) or Ingress controllers.
## Vulnerability Description
While the Canadian Centre for Cyber Security bulletin (AV26-612) acts as a high-level notification, these out-of-band updates for the NGINX ecosystem typically address critical flaws in request processing, memory management in the WAF engine, or resource exhaustion (Denial of Service) vulnerabilities in the App Protect modules.
## Exploitation
- **Status:** Not explicitly stated as "exploited in the wild," but the "Out-of-band" status indicates a high urgency.
- **Complexity:** Usually Low to Medium for NGINX-related network flaws.
- **Attack Vector:** Network (External attackers targeting web-facing NGINX instances).
## Impact
- **Confidentiality:** Potential (Depending on the specific CVE)
- **Integrity:** Potential (Especially for WAF bypass scenarios)
- **Availability:** High (Common impact for NGINX and DoS module flaws)
## Remediation
### Patches
F5 recommends upgrading to versions beyond those listed in the "Affected" category. Specific patch targets include:
- **NGINX Open Source:** Upgrade to versions outside the 1.30.x/1.31.x vulnerable range as directed by F5.
- **NGINX Plus:** Update to the latest stable R-release (e.g., beyond R36).
- **NGINX App Protect:** Update to the latest versions (v5.9.0+ or v4.17.0+ as applicable).
### Workarounds
- Review access control lists (ACLs) to restrict access to NGINX Instance Manager.
- Temporarily disable affected modules (e.g., App Protect DoS) if an immediate patch is not possible and the environment is under active threat.
## Detection
- **Indicators of Compromise:** Look for unusual spikes in NGINX error logs (5xx errors) or unexpected crashes of the `nginx` worker processes.
- **Detection methods and tools:** Use the F5 NGINX Instance Manager to audit the fleet for vulnerable version strings listed above.
## References
- F5 Security Advisory K000161614: hxxps[://]my[.]f5[.]com/manage/s/article/K000161614
- MyF5 Portal: hxxps[://]my[.]f5[.]com/manage/s/article/K12201527
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-612