F5 has issued critical security updates for NGINX Open Source, addressing two severe vulnerabilities that could allow remote attackers to execute arbitrary code on affected systems. The flaws, tracked as CVE-2026-42530 and CVE-2026-42055, both carry a CVSS v4 score of 9.2, highlighting their significant risk to cloud security and network infrastructure.
These vulnerabilities were discovered in modules related to HTTP/3 and proxy handling within NGINX. The urgent patching by F5 underscores the importance of maintaining up-to-date software to protect against sophisticated cyber threats. Attackers could potentially leverage these weaknesses to compromise servers, steal sensitive data, or disrupt services.
Critical NGINX Vulnerabilities Threaten Cloud Security
The first vulnerability, CVE-2026-42530, is a use-after-free flaw residing in the `ngx_http_v3_module`. This exploit is possible when NGINX Open Source is configured to use the HTTP/3 QUIC module. According to F5’s advisory, an unauthenticated remote attacker could trigger this vulnerability by reopening a QPACK encoder stream through a specially crafted HTTP/3 session. Successful exploitation could lead to code execution, particularly on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed.
The second critical vulnerability, CVE-2026-42055, is a heap-based buffer overflow issue impacting the `ngx_http_proxy_v2_module` and `ngx_http_grpc_module` modules. This flaw can be exploited by a remote, unauthenticated attacker under specific configuration conditions. These include using `proxy_http_version` set to 2 or `grpc_pass` directives for proxying HTTP/2 traffic, with the `ignore_invalid_headers` directive set to `off`, and `large_client_header_buffers` configured to a size exceeding 2 MB. Similar to the first vulnerability, successful exploitation can result in code execution, especially without effective ASLR protections.
Affected NGINX Versions and Patching Information
F5 has detailed the specific versions of NGINX Open Source and NGINX Plus affected by these vulnerabilities. For CVE-2026-42530, NGINX Open Source versions 1.31.0 through 1.31.1 are impacted, with a fix available in version 1.31.2. Several versions of NGINX Gateway Fabric, NGINX Instance Manager, and NGINX Ingress Controller are also affected and have received patches.
Regarding CVE-2026-42055, a broader range of products is affected. NGINX Plus versions 37.0.0 through 37.0.1 are patched in 37.0.2.1, and R33 through R36 are fixed in R36 P6. NGINX Open Source versions 1.30.0 through 1.30.2 are patched in 1.30.3, while 1.31.1 is fixed in 1.31.2. Additionally, various versions of NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, and NGINX App Protect DoS are addressed, alongside the already mentioned NGINX Gateway Fabric and NGINX Ingress Controller products.
Mitigation Strategies for Unpatched Systems
For organizations unable to immediately upgrade, F5 has provided interim mitigation strategies. To address CVE-2026-42530, the recommended action is to disable the HTTP/3 protocol. For CVE-2026-42055, administrators can either remove the `ignore_invalid_headers off` directive from their NGINX configurations or reduce the size of the `large_client_header_buffers` directive to be less than 2 MB.
While F5 has not reported active exploitation of these specific flaws in the wild, a history of security vulnerabilities in F5 products being exploited by adversaries necessitates prompt action. Just last month, a critical vulnerability in NGINX Plus and NGINX Open Source, known as NGINX Rift (CVE-2026-42945), saw active exploitation within days of its public disclosure, underscoring the rapid threat landscape.
The timely patching and mitigation of these newly disclosed vulnerabilities are crucial for maintaining secure NGINX deployments. Organizations should prioritize applying the provided updates to safeguard their systems against potential code execution attacks. Further advisories from F5 and security intelligence feeds should be monitored for any developments regarding these or other emerging threats.