F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
F5 has released patches for two critical NGINX Open Source vulnerabilities, including a use-after-free in the HTTP/3 module and a heap buffer overflow in HTTP/2 proxying, both rated CVSS 9.2.
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems. The vulnerabilities, tracked as CVE-2026-42530 and CVE-2026-42055, both carry a CVSS v4 score of 9.2, underscoring their severity. Users are urged to apply the patches immediately, as the flaws can be triggered by remote unauthenticated attackers under specific configurations.
CVE-2026-42530 is a use-after-free vulnerability in the ngx_http_v3_module, which handles HTTP/3 QUIC connections. An attacker can exploit this by sending a specially crafted HTTP/3 session that reopens a QPACK encoder stream, potentially leading to code execution on systems where Address Space Layout Randomization (ASLR) is disabled or bypassed. The flaw affects NGINX Open Source versions 1.31.0 through 1.31.1, as well as NGINX Gateway Fabric, Instance Manager, and Ingress Controller products.
CVE-2026-42055 is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. It can be triggered when the proxy_http_version directive is set to 2 or the grpc_pass directive is used to proxy HTTP/2 traffic, combined with the ignore_invalid_headers directive set to off and a large_client_header_buffers size exceeding 2 MB. This flaw impacts a broader range of products, including NGINX Plus, NGINX Open Source, NGINX Instance Manager, F5 WAF for NGINX, and NGINX App Protect WAF.
F5 has provided mitigations for organizations unable to patch immediately. For CVE-2026-42530, disabling HTTP/3 can prevent exploitation. For CVE-2026-42055, administrators can remove the ignore_invalid_headers off directive or reduce the large_client_header_buffers size below 2 MB. The patches are included in NGINX Open Source 1.31.2, NGINX Plus 37.0.2.1, and various updates for other affected products.
Although F5 has not reported active exploitation of these vulnerabilities, the company notes that security flaws in F5 products have been repeatedly targeted by threat actors. Just last month, another critical NGINX vulnerability, CVE-2026-42945 (dubbed NGINX Rift), came under active exploitation within days of public disclosure. This pattern highlights the urgency of applying the latest patches.
The disclosure comes amid a busy period for open-source security, with multiple critical vulnerabilities patched in recent weeks across platforms like OpenSSL, Hugging Face Transformers, and Mozilla Firefox. The NGINX flaws are particularly concerning given the widespread deployment of NGINX as a web server, reverse proxy, and load balancer in enterprise environments. Organizations running NGINX in production should prioritize updating to the fixed versions to mitigate the risk of remote code execution.