Impact:
This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.
Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Project Subscriptions
No data.
No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
| Link | Providers |
|---|---|
| https://my.f5.com/manage/s/article/K000162100 |
|
Wed, 15 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
F5
F5 nginx Open Source F5 nginx Plus |
|
| Vendors & Products |
F5
F5 nginx Open Source F5 nginx Plus |
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart. Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |
| Title | NGINX ngx_http_slice_module vulnerability | |
| Weaknesses | CWE-908 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: f5
Published:
Updated: 2026-07-15T15:41:06.279Z
Reserved: 2026-07-08T15:49:43.059Z
Link: CVE-2026-60005
Updated: 2026-07-15T15:41:00.420Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T19:15:14Z