Two critical vulnerabilities — CVE-2026-42530 and CVE-2026-42055 — in NGINX modules can be triggered by unauthenticated remote attackers to cause denial-of-service or, in some configurations, remote code execution, F5 said in out-of-band updates this week.
F5's out-of-band fixes and affected products
F5 released out-of-band security updates to address multiple NGINX web server vulnerabilities, including the two critical bugs. The company pushed fixes across several NGINX software products: NGINX Plus and NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager. Administrators are being urged to install the updates immediately where possible.
Technical impact: use-after-free and heap-based buffer overflow
The two critical flaws reside in NGINX modules: CVE-2026-42530 in the ngx_http_v3_module, and CVE-2026-42055 in the ngx_http_proxy_v2_module and ngx_http_grpc_module. Successful exploitation causes either a use-after-free or a heap-based buffer overflow inside the NGINX worker process, which leads to a worker restart. In both cases, F5 noted the vulnerability can also "execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR." The vendor emphasized that the flaws are exploitable by unauthenticated remote actors and affect systems configured in non-default ways.
Configuration mitigations for administrators
For teams unable to apply updates immediately, F5 published configuration mitigations. To reduce exposure to CVE-2026-42530, administrators can disable HTTP/3 by removing quic from all listen directives. To mitigate CVE-2026-42055, F5 advised removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size to below 2 megabytes. These steps are presented as temporary workarounds until patches can be applied.
NGINX Gateway Fabric: two high-severity arbitrary-configuration flaws
Alongside the critical NGINX module bugs, F5 also fixed two high-severity vulnerabilities in NGINX Gateway Fabric, tracked as CVE-2026-11311 and CVE-2026-50107. Those flaws can be exploited by authenticated attackers to inject arbitrary NGINX configuration directives, a capability that can materially alter how a server processes requests.
How technologists, affected enterprises, and adversaries are positioned
- Technologists and security teams: Apply the out-of-band patches for NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager where available; if immediate patching is impossible, implement the published mitigations (disable HTTP/3, change ignore_invalid_headers, reduce large_client_header_buffers) to reduce risk.
- Affected enterprises and procurement leaders: Inventory deployments of F5 and NGINX products. F5 serves over 23,000 customers worldwide, including 48 of the Fortune 50 and 80% of the Fortune Global 500, making the reach and potential impact of these vulnerabilities broad across large organizations.
- Adversaries and threat actors: While F5 did not flag any of these issues as already exploited in attacks, F5 vulnerabilities have "often been exploited by both cybercrime and nation-state threat groups in recent years," according to the company. Historical targeting of F5 products has included breaches to deploy data-wiping malware, map internal servers, hijack devices, and steal sensitive documents.
F5's October disclosure that state-backed attackers breached its systems in August 2025 and stole undisclosed BIG-IP security vulnerabilities and source code remains a recent precedent cited alongside this advisory, underscoring why organizations will treat these patches with urgency.
The immediate factual imperative is straightforward: install the out-of-band updates F5 released for the named products, or apply the vendor's configuration mitigations until updates can be applied. Whether organizations heed that guidance at scale will determine whether these flaws remain theoretical risks or become active vectors for disruptive or escalatory intrusions.
