F5 has issued security updates to address two critical vulnerabilities in NGINX Open Source that could allow remote code execution on affected systems.
Details of the Vulnerabilities
The first vulnerability, identified as CVE-2026-42530 with a CVSS v4 score of 9.2, is a use-after-free flaw in the ngx_http_v3_module. This issue can be exploited by a remote, unauthenticated attacker when NGINX is configured to use the HTTP/3 QUIC module. By reopening a QPACK encoder stream through a specially crafted HTTP/3 session, an attacker could execute code on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed.
The second vulnerability, CVE-2026-42055, also rated at 9.2 on the CVSS scale, is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. Exploitation is possible when the proxy_http_version is set to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size exceeds 2 MB. Under these conditions, a remote attacker could execute code on systems with ASLR disabled or bypassed.
Affected Versions and Mitigations
F5 has released patches for the following versions:
- CVE-2026-42530:
- NGINX Open Source 1.31.0 – 1.31.1 (Fixed in 1.31.2)
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (Fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Instance Manager 2.17.0 – 2.22.0
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
- CVE-2026-42055:
- NGINX Plus 37.0.0 – 37.0.1 (Fixed in 37.0.2.1)
- NGINX Plus R33 – R36 (Fixed in R36 P6)
- NGINX Open Source 1.31.1 (Fixed in 1.31.2)
- NGINX Open Source 1.30.0 – 1.30.2 (Fixed in 1.30.3)
- NGINX Instance Manager 2.17.0 – 2.22.0
- F5 WAF for NGINX 5.9.0 – 5.13.1
- NGINX App Protect WAF 5.2.0 – 5.8.0
- NGINX App Protect WAF 4.10.0 – 4.16.0
- F5 DoS for NGINX 4.9.0
- NGINX App Protect DoS 4.3.0 – 4.7.0
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (Fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
To mitigate these vulnerabilities, F5 recommends the following actions:
- CVE-2026-42530: Disable HTTP/3.
- CVE-2026-42055: Remove the ‘ignore_invalid_headers off’ directive from the configuration or reduce the ‘large_client_header_buffers’ directive size below 2 MB.
While there are no reports of these vulnerabilities being exploited in the wild, similar flaws in F5 products have been targeted by malicious actors in the past. For instance, the critical ‘NGINX Rift’ vulnerability (CVE-2026-42945) was actively exploited shortly after its disclosure last month.
Given NGINX’s widespread use as a web server and reverse proxy, these vulnerabilities pose significant risks to internet infrastructure. Administrators are urged to apply the patches promptly and review their configurations to ensure they are not susceptible to these exploits.
