CVE-2026-8711 Overview
CVE-2026-8711 is a heap buffer overflow vulnerability [CWE-122] in NGINX JavaScript (njs) affecting deployments that configure the js_fetch_proxy directive with client-controlled NGINX variables. When configurations reference variables such as $http_*, $arg_*, or $cookie_* alongside a location invoking ngx.fetch(), unauthenticated attackers can trigger memory corruption by sending crafted HTTP requests. The flaw causes the NGINX worker process to crash and restart. On systems with Address Space Layout Randomization (ASLR) disabled, the vulnerability enables remote code execution. F5 has documented the issue in security article K000161307.
Critical Impact
Unauthenticated network attackers can corrupt heap memory in NGINX worker processes, causing denial of service and potential remote code execution on hosts where ASLR is disabled.
Affected Products
- NGINX with NGINX JavaScript (njs) module
- Deployments using the js_fetch_proxy directive with client-controlled variables
- Configurations invoking ngx.fetch() from NGINX JavaScript
Discovery Timeline
- 2026-05-19 - CVE CVE-2026-8711 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8711
Vulnerability Analysis
The vulnerability resides in the NGINX JavaScript (njs) module, specifically in the handling of the js_fetch_proxy directive. The directive allows administrators to proxy subrequests issued by ngx.fetch() through an upstream endpoint defined by NGINX variables. When the directive expression incorporates client-controlled variables, attacker input flows into a memory operation without adequate bounds enforcement.
The overflow occurs in heap-allocated buffers within the worker process. A successful trigger corrupts adjacent heap structures, leading to a worker crash and automatic restart by the NGINX master process. Repeated exploitation produces a sustained denial of service against the affected listener.
On hosts where ASLR is disabled, predictable memory layouts allow attackers to overwrite controllable structures and pivot to arbitrary code execution within the worker context. NGINX worker processes typically handle TLS termination, authentication, and traffic forwarding, so code execution at this layer compromises confidentiality and integrity for all proxied traffic.
Root Cause
The root cause is improper bounds checking when concatenating or copying attacker-controlled HTTP header, query argument, or cookie values into a heap buffer used by the js_fetch_proxy resolution path. The CWE-122 classification confirms the defect as a classic heap buffer overflow.
Attack Vector
The attack vector is network-based and requires no authentication. The attacker sends HTTP requests containing crafted headers, query parameters, or cookies that the NGINX configuration substitutes into the js_fetch_proxy value. When the configured location invokes ngx.fetch(), the malformed input reaches the vulnerable code path and overflows the heap buffer. Refer to the F5 Security Article K000161307 for vendor-confirmed exploitation conditions.
No verified proof-of-concept code is publicly available. The vulnerability is described in prose based on the vendor advisory.
Detection Methods for CVE-2026-8711
Indicators of Compromise
- Unexpected NGINX worker process crashes or SIGSEGV signals recorded in system logs.
- Worker restart messages in error.log referencing worker process exit codes such as 11 or 139.
- Inbound HTTP requests with unusually long or malformed Cookie, Authorization, or custom header values targeting locations that invoke ngx.fetch().
- Spikes in 502 or 504 responses from locations backed by the js_fetch_proxy directive.
Detection Strategies
- Inventory NGINX configurations for the js_fetch_proxy directive and flag any reference to $http_*, $arg_*, or $cookie_* variables.
- Monitor error.log for repeated signal 11 (SIGSEGV) received entries correlated with worker restarts.
- Inspect HTTP access logs for client requests immediately preceding worker crashes to identify malicious payload patterns.
Monitoring Recommendations
- Forward NGINX error.log and access.log to a centralized log platform with alerting on worker crash patterns.
- Enable core dump collection on NGINX hosts to support forensic analysis after suspected exploitation attempts.
- Track request volume and latency for any location implementing ngx.fetch() to identify abuse early.
How to Mitigate CVE-2026-8711
Immediate Actions Required
- Apply the fixed NGINX JavaScript module version once published by F5 per article K000161307.
- Audit all NGINX configurations and remove client-controlled variables from js_fetch_proxy directives until patched.
- Confirm that ASLR is enabled on every host running NGINX to prevent escalation from denial of service to code execution.
Patch Information
F5 published vendor guidance in security article K000161307. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to a supported release containing the fix.
Workarounds
- Replace client-controlled variables in js_fetch_proxy with static values or server-side computed variables.
- Restrict access to locations invoking ngx.fetch() through authentication, allowlists, or upstream Web Application Firewall (WAF) rules.
- Validate and length-limit headers, query arguments, and cookies referenced by njs handlers before they reach the fetch path.
# Verify ASLR is enabled on Linux NGINX hosts
cat /proc/sys/kernel/randomize_va_space
# Expected output: 2 (full randomization)
# Identify NGINX configurations using the vulnerable pattern
grep -rn "js_fetch_proxy" /etc/nginx/
grep -rn "ngx.fetch" /etc/nginx/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
