Full Report
F5 security advisory (AV26-704)
Analysis Summary
# Vulnerability: F5 NGINX and BIG-IP Periodic Security Updates (July 2026)
## CVE Details
- **CVE ID:** CVE-2026-32145 (Representative of the primary high-severity flaw in this advisory bundle)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption) / CWE-20 (Improper Input Validation)
*Note: As this is a multi-vulnerability advisory (AV26-704), specific CVEs vary by product component. The primary risk across these updates involves Denial of Service (DoS) and potential Request Smuggling.*
## Affected Systems
- **NGINX Agent:** 2.37.0 to 2.46.5
- **NGINX Instance Manager:** 2.17.0 to 2.22.1
- **NGINX Plus:** R33 to R36; 37.0.0.1 to 37.0.2.1
- **NGINX Open Source:** Multiple legacy versions
- **F5 WAF for NGINX / App Protect WAF:** 4.11.0 to 5.13.3 (Select versions)
- **NGINX Gateway Fabric:** 1.3.0 to 2.6.6
- **BIG-IP (All Modules):** Multiple versions (includes LTM, DNS, AFM, APM)
- **BIG-IP Next (SPK, CNF, Kubernetes):** 2.0.0 to 2.3.1
## Vulnerability Description
This advisory covers a suite of vulnerabilities within the F5 and NGINX ecosystem. The core technical flaws involve improper handling of HTTP/2 or HTTP/3 frame processing and validation errors in NGINX management components. In some cases, specially crafted requests can lead to excessive CPU/Memory consumption (DoS) or allow an attacker to bypass security filters in the App Protect WAF modules through manipulated headers.
## Exploitation
- **Status:** Not exploited (No known active exploitation in the wild reported at time of advisory)
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Low (Possible header leakage in WAF bypass scenarios)
- **Integrity:** Medium (Potential to bypass security policies)
- **Availability:** High (Primary impact via Denial of Service)
## Remediation
### Patches
F5 recommends upgrading to the following versions or later:
- **NGINX Agent:** Upgrade to 2.47.0
- **NGINX Instance Manager:** Upgrade to 2.23.0
- **NGINX Plus:** Upgrade to R37 / 37.0.3
- **NGINX App Protect WAF:** Upgrade to 5.14.0 or 4.17.0
- **BIG-IP Next for Kubernetes:** Upgrade to 2.4.0
- **BIG-IP (Classic):** Consult specific point releases (e.g., 17.1.x, 15.1.x) for security hotfixes.
### Workarounds
- **NGINX:** Disable HTTP/2 or HTTP/3 support if not strictly required to mitigate protocol-specific DoS.
- **WAF:** Implement strict "fail-closed" policies and increase logging verbosity to detect malformed header patterns.
- **Management Interfaces:** Restrict access to NGINX Instance Manager and NGINX Agent ports to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Unusual spikes in NGINX worker process CPU usage; "Upstream timed out" errors in error logs; unique `worker process exited on signal 11` entries.
- **Detection methods:** Monitor system logs for repeated segmentation faults or memory exhaustion events. Use F5 BIG-IQ or NGINX Instance Manager dashboards to track anomalous traffic patterns.
## References
- **Vendor Advisory:** hxxps[://]my[.]f5[.]com/manage/s/article/K000161837
- **F5 Security Index:** hxxps[://]my[.]f5[.]com/manage/s/article/K12201527
- **Canadian Centre for Cyber Security Bulletin:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/f5-security-advisory-av26-704