Use of uninitialized resource in NGINX Plus and NGINX Open Source - CVE-2026-60005
Published: July 16, 2026
NGINX Plus
NGINX Open Source
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose limited memory contents or cause a denial of service.
The vulnerability exists due to use of an uninitialized resource in ngx_http_slice_module when handling requests with the slice directive and unnamed regex captures configured or during a background cache update. A remote attacker can send crafted requests to disclose limited memory contents or cause a denial of service.
The issue affects the NGINX worker process and is limited to the data plane. The module is not enabled by default and must be built with the --with-http_slice_module configuration parameter.