F5 NGINX Plus MQTT Filter Module Heap Buffer Over-Read Vulnerability Leading to Denial-of-Service

Vulnerability

A heap buffer over-read vulnerability has been identified in NGINX Plus versions 37.0.0.1 to 37.0.2.1 and in the NGINX Plus 5.x version range prior to 5.9.0, when the Message Queuing Telemetry Transport (MQTT) filter module is enabled. This vulnerability allows remote, unauthenticated attackers to send requests that cause a heap buffer over-read in the NGINX worker process, leading to a process restart. This issue affects the data plane only, with no exposure to the control plane.

Impact

Exploitation of this vulnerability causes the NGINX worker process to restart, disrupting any active connections or processes handled by that worker.

Remediation

Users can upgrade to NGINX Plus version 37.0.3.1 or NGINX Plus 5.9.0 and above to address this vulnerability.

Added: Jul 15, 2026, 3:38 PM
Updated: Jul 15, 2026, 3:38 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.3
exploitability
7.6
remediation
7.7
relevance
9.8
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.