- 72/2026
- Critical
F5 has released a security update to address several vulnerabilities affecting multiple F5 products.
The addressed vulnerabilities could allow the attacker to perform denial-of-service (DoS) attacks, bypass security restrictions, execute arbitrary code or modify data by injecting arbitrary headers into SMTP upstream requests.
Sample of the addressed vulnerabilities:
1. NGINX Worker Process Buffer Overflow Vulnerability (CVE-2026-27654):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
2. NGINX Worker Buffer Over-Read or Over-Write Vulnerability (CVE-2026-32647):
- CVSS: 7.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
The affected products:
- F5 NGINX Plus.
- F5 NGINX Open Source.
Vulnerabilities
- CVE-2026-27654
- CVE-2026-27784
- CVE-2026-32647
- CVE-2026-27651
- CVE-2026-28755
- CVE-2026-28753
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.