CVE-2026-60005 in NGINX Plus
Summary
by MITRE • 07/15/2026
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_slice_module module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX worker process, leading to limited disclosure of memory or a restart.
Impact: This vulnerability may allow remote, unauthenticated attackers to have limited control to disclose memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only. Note: The ngx_http_slice_module module is not enabled by default; it's enabled with the --with-http_slice_module configuration parameter.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability resides within the ngx_http_slice_module module of NGINX Plus and NGINX Open Source, representing a memory safety issue that manifests under specific configuration conditions. This module, when activated through the --with-http_slice_module compilation parameter, processes HTTP requests with slice directives and handles unnamed regex captures during background cache updates. The flaw emerges from improper handling of uninitialized memory access patterns within worker processes, creating potential attack vectors for remote adversaries.
Technical exploitation occurs when unauthenticated attackers craft malicious requests that trigger the module's processing logic during background cache operations or when slice directives interact with unnamed regular expression captures. The vulnerability stems from insufficient validation of memory allocation states before accessing memory segments that may contain uninitialized data. This behavior aligns with CWE-457: Use of Uninitialized Variable, which classifies such issues as memory safety problems where programs access variables without proper initialization.
The operational impact of this vulnerability extends to potential information disclosure and service disruption within the affected NGINX worker processes. Attackers can potentially extract sensitive data from uninitialized memory segments, though the scope is limited to the specific memory regions accessible through the module's processing paths. Additionally, repeated exploitation attempts may cause worker process restarts, leading to temporary service degradation while the system recovers from the restart conditions.
Mitigation strategies should focus on immediate configuration adjustments and operational controls. The most effective approach involves disabling the ngx_http_slice_module if it is not actively required for specific use cases, as this module is not enabled by default. Organizations should conduct thorough configuration reviews to identify systems with this module activated and evaluate whether the functionality is necessary for their deployment scenarios. When the module must remain enabled, implementing strict access controls and network segmentation can limit exposure, though the vulnerability affects unauthenticated attackers directly. Additionally, maintaining current NGINX versions and applying official security patches represents the most comprehensive remediation approach. The ATT&CK framework categorizes this as a privilege escalation technique through memory corruption, specifically targeting application-level vulnerabilities in web server components that could lead to information disclosure or denial of service conditions.