CVE-2026-40701: CWE-416 Use After Free in F5 NGINX Plus
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI Analysis
Technical Summary
This vulnerability in the ngx_http_ssl_module of F5 NGINX Plus and NGINX Open Source arises under specific SSL configuration settings involving client certificate verification and OCSP stapling or resolver usage. When ssl_verify_client is enabled as "on" or "optional" and ssl_ocsp is enabled or leaf parameters are configured with a resolver, crafted requests can cause a heap-use-after-free error in the NGINX worker process. This may lead to limited data modification or cause the worker process to restart. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS 3.1 base score of 4.8, indicating medium severity. The affected versions include R32 and R36. The vendor has not yet provided an official fix or remediation guidance, and no exploits are currently known in the wild.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to cause a heap-use-after-free error in the NGINX worker process, potentially resulting in limited modification of data or a restart of the worker process. The impact is limited to confidentiality and availability with no indication of integrity compromise beyond limited data modification. The CVSS score of 4.8 reflects this moderate impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling ssl_ocsp or ssl_verify_client directives if feasible to avoid the vulnerable configuration. Monitor vendor communications for updates on patches or official mitigations.
CVE-2026-40701: CWE-416 Use After Free in F5 NGINX Plus
Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in the ngx_http_ssl_module of F5 NGINX Plus and NGINX Open Source arises under specific SSL configuration settings involving client certificate verification and OCSP stapling or resolver usage. When ssl_verify_client is enabled as "on" or "optional" and ssl_ocsp is enabled or leaf parameters are configured with a resolver, crafted requests can cause a heap-use-after-free error in the NGINX worker process. This may lead to limited data modification or cause the worker process to restart. The vulnerability is identified as CWE-416 (Use After Free) and has a CVSS 3.1 base score of 4.8, indicating medium severity. The affected versions include R32 and R36. The vendor has not yet provided an official fix or remediation guidance, and no exploits are currently known in the wild.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to cause a heap-use-after-free error in the NGINX worker process, potentially resulting in limited modification of data or a restart of the worker process. The impact is limited to confidentiality and availability with no indication of integrity compromise beyond limited data modification. The CVSS score of 4.8 reflects this moderate impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling ssl_ocsp or ssl_verify_client directives if feasible to avoid the vulnerable configuration. Monitor vendor communications for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- f5
- Date Reserved
- 2026-04-30T23:04:27.950Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04970dcbff5d8610dff5a9
Added to database: 5/13/2026, 3:21:49 PM
Last enriched: 5/13/2026, 3:53:44 PM
Last updated: 5/14/2026, 6:47:32 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.