F5 has released security updates to address 2 critical vulnerabilities in NGINX Open Source that could allow remote attackers to execute arbitrary code on affected systems under specific conditions.
The vulnerabilities, tracked as CVE-2026-42530 and CVE-2026-42055, have each been assigned a CVSS v4 score of 9.2, highlighting their severity.
CVE-2026-42530 is a use-after-free vulnerability affecting the ngx_http_v3_module. According to F5, a remote unauthenticated attacker could exploit the flaw through a specially crafted HTTP/3 session when NGINX Open Source is configured to use the HTTP/3 QUIC module. Successful exploitation could lead to code execution on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.
The vulnerability affects NGINX Open Source versions 1.31.0 to 1.31.1 and has been fixed in version 1.31.2. It also impacts several related products, including NGINX Gateway Fabric, NGINX Instance Manager and NGINX Ingress Controller.
CVE-2026-42055 is a heap-based buffer overflow vulnerability affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module. The flaw can be triggered by a remote unauthenticated attacker when HTTP/2 traffic is proxied using specific configurations, including the use of proxy_http_version 2 or grpc_pass directives, ignore_invalid_headers set to off and large_client_header_buffers configured above 2 MB.
If exploited, the vulnerability could allow code execution on systems with ASLR disabled or bypassed.
The flaw affects NGINX Open Source versions 1.30.0 to 1.30.2 and version 1.31.1. It has been fixed in NGINX Open Source versions 1.30.3 and 1.31.2. Several other products, including NGINX Plus, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX App Protect DoS, NGINX Gateway Fabric and NGINX Ingress Controller, are also impacted.
To reduce risk, F5 has recommended disabling HTTP/3 as a mitigation for CVE-2026-42530. For CVE-2026-42055, organizations are advised to remove the ignore_invalid_headers off directive or reduce the large_client_header_buffers size to below 2 MB.
While F5 has not reported any active exploitation of these vulnerabilities, security flaws in F5 and NGINX products have frequently been targeted by threat actors. Last month, another critical NGINX vulnerability, CVE-2026-42945, also known as NGINX Rift, came under active exploitation shortly after its public disclosure.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.