CVE‑2026‑42530

Overview F5 has released urgent security updates for two critical vulnerabilities in NGINX Open Source, both rated CVSS 9.2, that could allow remote unauthenticated attackers to execute code on affected systems. These flaws impact multiple NGINX modules and products across the F5 ecosystem, making patching a top priority for cloud and network administrators. Vulnerability Breakdown CVE ID Module Affected Attack Vector Impact CVE‑2026‑42530 ngx_http_v3_module (HTTP/3 QUIC) Crafted HTTP/3 session reopens QPACK encoder stream Use‑after‑free → Remote Code Execution (RCE) CVE‑2026‑42055 ngx_http_proxy_v2_module, ngx_http_grpc_module Malicious HTTP/2 traffic via proxy directives Heap overflow → Remote Code Execution (RCE) Both vulnerabilities can be exploited when Address Space Layout Randomization (ASLR) is disabled or bypassed, giving attackers direct memory control over NGINX processes. Technical Context CVE‑2026‑42530 targets the HTTP/3 QUIC module by manipulating QPACK encoder streams to trigger a use‑after‑free condition. This lets attackers inject malicious payloads into memory and execute arbitrary code. CVE‑2026‑42055 affects HTTP/2 proxy and gRPC modules when specific directives are enabled (proxy_http_version 2, grpc_pass, ignore_invalid_headers off, and large_client_header_buffers > 2 MB). The resulting heap overflow can overwrite critical memory structures and lead to system compromise. Affected Versions Product Vulnerable Versions Fixed Version NGINX Open Source […]