F 5 on 14 May 2026 announced fixes for over 19 high-severity and 32 medium-severity vulnerabilities affecting BIG-IP, BIG-IQ, and NGINX. Based on CVSS scores, the most severe issue is CVE-2026-42945, a DoS in NGINX’s ngx_http_rewrite_module with a CVSS v4.0 score of 9.2 that could allow an unauthenticated attacker to trigger a heap overflow and a restart, potentially enabling code execution if ASLR is disabled.
The next notable flaw is CVE-2026-41225 (CVSS 8.6), a weakness in iControl REST that could enable a highly privileged attacker with at least Manager permissions to create configuration objects and execute commands. According to F5, fixes also cover high-severity RCE and remote command injection vulnerabilities (CVE-2026-41957, CVE-2026-34176, CVE-2026-39459) requiring authentication. None of the vulnerabilities appear to have been exploited in the wild, and more information is available in F5’s security notification.