CybersecurityVulnerability Management

F5 Fixes Flaws in NGINX Open Source Enabling Remote Code Execution

Analyst 207||Source: TheHackerNews
Rows of network equipment and cables in a well-lit server room with a central server or hardware appliance.

CVE-2026-42530 and CVE-2026-42055 — both rated CVSS v4 9.2 — have prompted F5 to issue security updates across a wide range of NGINX products after the company identified two remote code-execution flaws in NGINX Open Source components.

CVE-2026-42530: a use-after-free in the HTTP/3 QUIC stack

F5 says CVE-2026-42530 is a use-after-free vulnerability in the ngx_http_v3_module. The flaw can be triggered by a remote, unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session. According to the advisory, successful exploitation may allow code execution on systems with Address Space Layout Randomization (ASLR) disabled or when an attacker can bypass ASLR.

CVE-2026-42055: heap overflow in proxy and gRPC handling

CVE-2026-42055 is reported as a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. The vulnerability can be triggered by a remote, unauthenticated attacker under a specific configuration: proxying HTTP/2 traffic with proxy_http_version set to 2 or using grpc_pass, the ignore_invalid_headers directive set to off, and large_client_header_buffers configured larger than 2 MB. As with the other flaw, exploitation may lead to code execution on systems with ASLR disabled or when ASLR can be bypassed.

Patched versions and affected products

F5 published fixes for multiple downstream products and versions. The company lists affected versions and the releases that correct them as follows.

  • CVE-2026-42530 — Fixed in NGINX Open Source 1.31.2; affected releases include NGINX Open Source 1.31.0 - 1.31.1, NGINX Gateway Fabric 2.0.0 - 2.6.3 (fixed in 2.6.4), NGINX Gateway Fabric 1.3.0 - 1.6.2, NGINX Instance Manager 2.17.0 - 2.22.0, and NGINX Ingress Controller series 3.5.0 - 3.7.2, 4.0.0 - 4.0.1, and 5.0.0 - 5.5.0.
  • CVE-2026-42055 — Fixed in NGINX Plus 37.0.2.1 (addresses 37.0.0 - 37.0.1), NGINX Plus R36 P6 (addresses R33 - R36), and in NGINX Open Source releases 1.30.3 and 1.31.2 (addresses 1.30.0 - 1.30.2 and 1.31.1). The advisory also lists NGINX Instance Manager 2.17.0 - 2.22.0, F5 WAF for NGINX 5.9.0 - 5.13.1, NGINX App Protect WAF 4.10.0 - 4.16.0 and 5.2.0 - 5.8.0, F5 DoS for NGINX 4.9.0, NGINX App Protect DoS 4.3.0 - 4.7.0, NGINX Gateway Fabric 2.0.0 - 2.6.3 (fixed in 2.6.4), NGINX Gateway Fabric 1.3.0 - 1.6.2, and NGINX Ingress Controller releases 3.5.0 - 3.7.2, 4.0.0 - 4.0.1, and 5.0.0 - 5.5.0.

Mitigations F5 recommends

Alongside patches, F5 published configuration mitigations that can reduce exposure while organizations deploy updates:

  • For CVE-2026-42530: Disable HTTP/3.
  • For CVE-2026-42055: Remove the ignore_invalid_headers off directive from the configuration, or reduce the large_client_header_buffers directive size below 2 MB.

What this means for technologists, procurement leaders, and adversaries

  • Technologists and security teams: Confirm which NGINX and F5-managed NGINX derivative versions are in use, apply the listed fixes (for example, NGINX Open Source 1.31.2, NGINX Open Source 1.30.3, NGINX Plus 37.0.2.1, or the equivalent patched downstream releases), or implement the recommended mitigations (disable HTTP/3; change ignore_invalid_headers or reduce large_client_header_buffers) while patches are scheduled.
  • Procurement and configuration managers: Inventory deployments of NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, NGINX Instance Manager, NGINX Ingress Controller, and the listed WAF/DoS products to identify devices running the affected versions and prioritize upgrades to the fixed releases named by F5.
  • Adversaries and threat actors: Although F5 makes no mention of the vulnerabilities being exploited in the wild, the advisory notes that security flaws in F5 products have been repeatedly exploited by bad actors. As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (CVE-2026-42945, CVSS score: 9.2), also called NGINX Rift, came under active exploitation within days after public disclosure.

Two important facts anchor this bulletin: the flaws enable remote, unauthenticated triggers that can lead to code execution on systems lacking effective ASLR protections, and the fixes cut across both Open Source and commercial NGINX-based products. The combination of high CVSS scores, wide product exposure, and a recent precedent of rapid exploitation in a separate NGINX vulnerability creates a clear operational imperative: identify affected instances, apply the fixed versions F5 publishes, or adopt the temporary mitigations F5 recommends.

Original story

Emerging ThreatsRemote Code ExecutionVulnerability ManagementF5CVE-2026-42530CVE-2026-42055NGINX Open SourceHTTP/3 QUIC
Related Intelligence

Continue Reading

Control room operators monitor industrial systems amidst rows of screens and control panels.

Accenture Bolsters Industrial Cybersecurity with $4.18B Acquisition Spree

As Robert M. Lee aptly puts it, our critical infrastructure, from energy and water systems to manufacturing plants, is crying out for robust cybersecurity that can stay one step ahead of evolving threats - and failing to deliver it could have disastrous societal consequences. Accenture is answering the call with a whopping $4.18 billion investment to bolster industrial cybersecurity.

Analyst 207
Kubernetes management interface on a laptop screen in a data center background.

Google Exposes Flaw in Kubernetes Operator, Denies Bug Bounty

Google's security team initially praised researcher Justin O'Leary for uncovering a high-severity flaw, dubbed ConfigConfusion, in the Config Connector add-on for Kubernetes - only to later claim it wasn't a vulnerability at all and deny a bug bounty. The issue still lingers, leaving users of the open-source tool potentially exposed.

Analyst 207
Business professional looks concerned while holding laptop amidst scattered papers and office supplies.

Microsoft 365 Exposes Data Protection Gaps for Businesses

Microsoft 365 is a powerhouse for productivity, but it leaves data protection gaps that put businesses at risk. The harsh reality is that while Microsoft safeguards its infrastructure, the responsibility of protecting your business data - including backups and recovery - falls squarely on your shoulders.

Analyst 207
Dusty computer servers and tangled cables in a dimly lit, abandoned server room.

Hidden AI Agents Expose Access Risks in Corporate Networks

Can your security team instantly identify who authorized an autonomous AI agent to access your company's core intellectual property? The uncomfortable truth is that most enterprises have no clear answer, leaving them vulnerable to hidden AI access risks.

Analyst 207