F5 Patches Two Critical NGINX Open Source Flaws

Overview

F5 has released urgent security updates for two critical vulnerabilities in NGINX Open Source, both rated CVSS 9.2, that could allow remote unauthenticated attackers to execute code on affected systems. These flaws impact multiple NGINX modules and products across the F5 ecosystem, making patching a top priority for cloud and network administrators.

Vulnerability Breakdown

CVE ID	Module Affected	Attack Vector	Impact
CVE‑2026‑42530	ngx_http_v3_module (HTTP/3 QUIC)	Crafted HTTP/3 session reopens QPACK encoder stream	Use‑after‑free → Remote Code Execution (RCE)
CVE‑2026‑42055	ngx_http_proxy_v2_module, ngx_http_grpc_module	Malicious HTTP/2 traffic via proxy directives	Heap overflow → Remote Code Execution (RCE)

Both vulnerabilities can be exploited when Address Space Layout Randomization (ASLR) is disabled or bypassed, giving attackers direct memory control over NGINX processes.

Technical Context

CVE‑2026‑42530 targets the HTTP/3 QUIC module by manipulating QPACK encoder streams to trigger a use‑after‑free condition. This lets attackers inject malicious payloads into memory and execute arbitrary code.

CVE‑2026‑42055 affects HTTP/2 proxy and gRPC modules when specific directives are enabled (proxy_http_version 2, grpc_pass, ignore_invalid_headers off, and large_client_header_buffers > 2 MB). The resulting heap overflow can overwrite critical memory structures and lead to system compromise.

Affected Versions

Product	Vulnerable Versions	Fixed Version
NGINX Open Source	1.30.0 – 1.31.1	1.31.2
NGINX Plus	R33 – R37.0.1	R36 P6 / 37.0.2.1
NGINX Gateway Fabric	1.3.0 – 2.6.3	2.6.4
NGINX Ingress Controller	3.5.0 – 5.5.0	5.5.1
NGINX App Protect WAF / DoS	4.10.0 – 5.13.1	Latest patch release

F5 also confirmed that NGINX Instance Manager and F5 WAF for NGINX are affected and should be updated immediately.

Mitigation Steps

F5 outlined temporary workarounds for organizations unable to patch right away:

• Disable HTTP/3 → Mitigates CVE‑2026‑42530.
• Remove ignore_invalid_headers off or reduce large_client_header_buffers below 2 MB → Mitigates CVE‑2026‑42055.
• Enable ASLR system‑wide → Adds a layer of memory protection against RCE exploitation.
• Monitor F5 and NGINX advisories → Stay updated on patch releases and exploit activity.

Exploitation History

While F5 has not yet confirmed active exploitation, recent history suggests a pattern. Just last month, the NGINX Rift vulnerability (CVE‑2026‑42945) was weaponized within days of disclosure. Given the critical nature of these new flaws, organizations should assume that proof‑of‑concept exploits will surface soon.

Expert in the Cloud Insight

The NGINX ecosystem powers a significant portion of global web infrastructure, from reverse proxies to API gateways. When core modules like HTTP/3 and HTTP/2 proxy are compromised, the impact extends beyond individual servers to entire cloud architectures.

For security leaders, this incident underscores the importance of continuous patch management, runtime hardening, and defense‑in‑depth strategies. Disabling experimental protocols like HTTP/3 until fully vetted is a prudent move for production environments.