F5 has released urgent security updates to address two critical vulnerabilities in NGINX Open Source that could allow remote attackers to execute arbitrary code on affected systems under specific conditions.
The flaws, tracked as CVE-2026-42530 and CVE-2026-42055, both carry a CVSS v4 score of 9.2, making them high-priority security risks for organizations running vulnerable NGINX deployments.
Critical Vulnerability in HTTP/3 QUIC Module (CVE-2026-42530)
The first vulnerability, CVE-2026-42530, is a use-after-free flaw affecting the ngx_http_v3_module.
According to F5, an unauthenticated remote attacker could exploit the issue by sending a specially crafted HTTP/3 session that reopens a QPACK encoder stream. Successful exploitation may result in arbitrary code execution on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.
Affected Versions
The vulnerability impacts the following products and versions:
- NGINX Open Source 1.31.0 – 1.31.1 (fixed in 1.31.2)
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Instance Manager 2.17.0 – 2.22.0
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
Heap-Based Buffer Overflow in HTTP/2 and gRPC Modules (CVE-2026-42055)
The second flaw, CVE-2026-42055, is a heap-based buffer overflow vulnerability affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module.
The issue can be triggered by a remote unauthenticated attacker when the following conditions are met:
- HTTP/2 proxying is enabled using
proxy_http_version 2, or gRPC traffic is proxied usinggrpc_pass - The
ignore_invalid_headersdirective is set tooff - The
large_client_header_buffersdirective is configured with a size greater than 2 MB
Under these circumstances, attackers could potentially achieve remote code execution on systems where ASLR protections are disabled or bypassed.
Affected Versions
The vulnerability affects multiple NGINX and F5 products, including:
- NGINX Plus 37.0.0 – 37.0.1 (fixed in 37.0.2.1)
- NGINX Plus R33 – R36 (fixed in R36 P6)
- NGINX Open Source 1.31.1 (fixed in 1.31.2)
- NGINX Open Source 1.30.0 – 1.30.2 (fixed in 1.30.3)
- NGINX Instance Manager 2.17.0 – 2.22.0
- F5 WAF for NGINX 5.9.0 – 5.13.1
- NGINX App Protect WAF 5.2.0 – 5.8.0
- NGINX App Protect WAF 4.10.0 – 4.16.0
- F5 DoS for NGINX 4.9.0
- NGINX App Protect DoS 4.3.0 – 4.7.0
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
Recommended Mitigations
Organizations unable to immediately apply patches should consider the following temporary mitigation measures:
For CVE-2026-42530
- Disable HTTP/3 functionality until updates can be deployed.
For CVE-2026-42055
- Remove the
ignore_invalid_headers offdirective from NGINX configurations. - Reduce the
large_client_header_bufferssetting to less than 2 MB.
While F5 has not reported any active exploitation of these vulnerabilities, administrators are strongly encouraged to update affected systems as soon as possible.
Growing Concern Over NGINX Security Threats
The latest disclosures continue a trend of attackers targeting vulnerabilities in NGINX and F5 products. Security experts note that critical flaws in these platforms often attract rapid attention from threat actors due to their widespread deployment across enterprise environments.
Last month, another critical NGINX vulnerability, CVE-2026-42945, commonly referred to as “NGINX Rift,” entered active exploitation shortly after its public disclosure. The incident highlighted the importance of timely patch management and proactive security monitoring for internet-facing infrastructure.
Organizations using NGINX-based products should review their deployments, verify version status, and apply available security updates without delay to minimize exposure to potential attacks.
