F5 Patches Critical NGINX Vulnerabilities Allowing Remote Code Execution
F5 released out-of-band patches for multiple critical and high-severity NGINX vulnerabilities, including two CVSS 9.2 flaws that could allow unauthenticated remote code execution.
F5 on Wednesday released out-of-band security updates to address multiple critical and high-severity vulnerabilities in its NGINX product line, including flaws that could allow remote, unauthenticated attackers to execute arbitrary code. The patches cover NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric, and users are urged to apply the updates immediately.
The most severe vulnerabilities are CVE-2026-42530 and CVE-2026-42055, both carrying a CVSS score of 9.2. These bugs affect HTTP modules and can be exploited without authentication to trigger a use-after-free or a heap-based buffer overflow, respectively. Successful exploitation causes the NGINX worker process to restart, resulting in a denial-of-service condition. If Address Space Layout Randomization (ASLR) is disabled or can be bypassed, the attacker can escalate the impact to arbitrary code execution.
In addition to the critical flaws, F5 also patched two high-severity vulnerabilities in NGINX Gateway Fabric: CVE-2026-11311 and CVE-2026-50107. These allow authenticated attackers to inject arbitrary NGINX configuration directives. According to F5, successful exploitation may enable the attacker to expose sensitive data from the NGINX pod filesystem, proxy traffic to attacker-controlled endpoints, or cause a denial-of-service condition by injecting configuration that prevents NGINX from reloading.
The company also addressed two medium-severity NGINX flaws that allow remote attackers to disclose memory contents or restart the NGINX worker process, potentially causing a denial-of-service. F5 has released updated versions of NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric that resolve all these security defects.
F5 makes no mention of any of these vulnerabilities being exploited in the wild, but the patches come at a critical time as NGINX has recently been targeted in attacks. The widespread deployment of NGINX as a web server, reverse proxy, and load balancer makes these vulnerabilities particularly dangerous for organizations relying on the software for their infrastructure.
Security experts recommend that organizations running affected NGINX versions prioritize patching, especially for internet-facing deployments. The ability for unauthenticated attackers to potentially achieve code execution without authentication represents a significant risk, even though ASLR bypass adds complexity to exploitation. Additional details are available in F5's security notification.
F5's out-of-band patches also address two high-severity NGINX Gateway Fabric flaws (CVE-2026-11311 and CVE-2026-50107) that allow authenticated attackers to inject arbitrary NGINX configuration directives. While no active exploitation has been reported, F5 noted that its vulnerabilities have been frequently targeted by both cybercrime and nation-state groups, and CISA has previously flagged seven F5 flaws as actively exploited—four of which were used in ransomware attacks. The company also disclosed that state-backed attackers breached its systems in August 2025, stealing undisclosed BIG-IP vulnerabilities and source code.
The June 17 advisory adds new details on CVE-2026-42530 (CVSS 9.2), a memory corruption flaw in ngx_http_v3_module affecting NGINX Open Source 1.31.0 and 1.31.1, and CVE-2026-42055, which impacts ngx_http_proxy_v2_module and ngx_http_grpc_module in both NGINX Open Source and NGINX Plus. F5 also disclosed two high-severity flaws in NGINX Gateway Fabric (CVE-2026-11311, CVE-2026-50107) affecting Kubernetes deployments, and a medium-severity issue in ngx_http_charset_module (CVE-2026-48142). Patches are available in NGINX Open Source 1.30.3/1.31.2 and NGINX Plus R37.0.2.1/R36 P6, while NGINX Instance Manager, NGINX App Protect, and F5 WAF for NGINX currently lack direct fixes.