F5 has released security updates to address two critical security flaws in the NGINX open source that could be used to gain code execution on affected systems.
Weaknesses are listed below –
- CVE-2026-42530 (CVSS v4 score: 9.2) – A use-after-free vulnerability in the ngx_http_v3_module that can be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reprocess Qpack Encoder streams via a specially crafted HTTP/3 session, and address space layout randomization. (ASLR) disabled or when the code is executed on the system. An attacker can bypass ASLR.
- CVE-2026-42055 (CVSS v4 score: 9.2) – A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that can be triggered by a remote unauthenticated attacker when proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, with the ignore_invalid_headers directive set. is off, and the size of the big_client_header_buffers directive is larger than 2 MB, and executes code on systems with address space layout randomization (ASLR) disabled or when an attacker can bypass ASLR.
Both bugs have been fixed in the following versions –
-
CVE-2026-42530 –
- NGINX Open Source 1.31.0 – 1.31.1 (stable in 1.31.2)
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Instance Manager 2.17.0 – 2.22.0
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
-
CVE-2026-42055 –
- NGINX Plus 37.0.0 – 37.0.1 (stable in 37.0.2.1)
- NGINX Plus R33 – R36 (stable in R36 p6)
- NGINX Open Source 1.31.1 (stable to 1.31.2)
- NGINX Open Source 1.30.0 – 1.30.2 (fixed in 1.30.3)
- NGINX Instance Manager 2.17.0 – 2.22.0
- F5 WAF for NGINX 5.9.0 – 5.13.1
- NGINX App Protect WAF 5.2.0 – 5.8.0
- NGINX App Protect WAF 4.10.0 – 4.16.0
- F5 DoS for NGINX 4.9.0
- NGINX App Protect DOS 4.3.0 – 4.7.0
- NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
- NGINX Gateway Fabric 1.3.0 – 1.6.2
- NGINX Ingress Controller 5.0.0 – 5.5.0
- NGINX Ingress Controller 4.0.0 – 4.0.1
- NGINX Ingress Controller 3.5.0 – 3.7.2
As mitigation, the F5 has outlined the following actions –
- CVE-2026-42530 – Disable HTTP/3
- CVE-2026-42055 – Remove the IGNORE_INVALID_HEADERS OFF directive from the configuration, or reduce the size of the LARGE_CLIENT_HEADER_BUFFERS directive to less than 2 MB.
Although there is no mention of vulnerabilities being exploited in the wild in F5, security flaws in F5 products have been repeatedly exploited by bad actors.
Just like last month, another serious security flaw in NGINX Plus and NGINX Open Source (CVE-2026-42945, CVSS score: 9.2), also known as NGINX Rift, came under active exploitation within days of public disclosure.
