F5 has issued security updates for two critical vulnerabilities in NGINX Open Source that could allow remote code execution on affected systems, including flaws tracked as CVE-2026-42530 and CVE-2026-42055.
KEY FACTS
- Severity Both issues carry a CVSS v4 score of 9.2.
- CVE-2026-42530 A use-after-free flaw in the ngx_http_v3_module affects HTTP/3 QUIC configurations.
- CVE-2026-42055 A heap-based buffer overflow affects proxy HTTP/2 and gRPC traffic under specific settings.
- Fixes Updated releases are available across NGINX Open Source, NGINX Plus and several F5 products.
A security advisory from F5 says CVE-2026-42530 can be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module and reopen a QPACK encoder stream through a specially crafted HTTP/3 session. The report says successful code execution depends on systems with Address Space Layout Randomization disabled or bypassed.
The second flaw, CVE-2026-42055, affects the ngx_http_proxy_v2_module and ngx_http_grpc_module when HTTP/2 traffic is proxied with proxy_http_version set to 2 or grpc_pass directives. The disclosure says the issue also requires ignore_invalid_headers to be set to off and large_client_header_buffers larger than 2 MB.
F5 said CVE-2026-42530 is fixed in NGINX Open Source 1.31.2 and in updated releases for NGINX Gateway Fabric, NGINX Instance Manager and NGINX Ingress Controller. CVE-2026-42055 is fixed in NGINX Plus 37.0.2.1, NGINX Plus R36 P6, NGINX Open Source 1.30.3 and 1.31.2, along with updates for NGINX App Protect, F5 WAF for NGINX, F5 DoS for NGINX, NGINX Gateway Fabric and NGINX Ingress Controller.
The company outlined mitigations that include disabling HTTP/3 for CVE-2026-42530 and removing ignore_invalid_headers off or reducing large_client_header_buffers below 2 MB for CVE-2026-42055. It did not say the bugs were being exploited in the wild.
WHY IT MATTERS
High-severity flaws in widely used web infrastructure can expose servers and downstream services to compromise if they are left unpatched. The advisory adds to a recent pattern of serious NGINX issues that security researchers have said have drawn active exploitation soon after disclosure.