Back to overview

CVE-2026-52865

MEDIUM
6.5
CVSS 3.1
Description
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane process terminates and enters a persistent crash loop while the malformed Ingress or TransportServer resource remains in the cluster. This vulnerability allows a remote, authenticated attacker with at least Ingress or TransportServer resource write access to cause a denial-of-service (DoS) on the NGINX Ingress Controller system. There is no data plane exposure; this is a control plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metadata

CVE ID
CVE-2026-52865
State
PUBLISHED
Assigner
f5
Reserved
2026-06-17 23:45 UTC
Published
2026-07-15 14:33 UTC
Last updated
2026-07-15 15:36 UTC
Primary CWE
CWE-476
CWE-476 NULL Pointer Dereference
Vendor / Product
F5 / NGINX Ingress Controller
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
F5 NGINX Ingress Controller 5.0.0 < 5.5.2, 2026-lts-r1 < 2026-lts-r3
Weakness (CWE)
CWESourceDescription
CWE-476 cna CWE-476 NULL Pointer Dereference
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Back to overview