F5 has released security updates to address two critical vulnerabilities in NGINX Open Source that could allow remote attackers to execute arbitrary code on affected systems under specific conditions. The vulnerabilities, tracked as CVE-2026-42530 and CVE-2026-42055, have each been assigned a CVSS v4 score of 9.2, reflecting their potential severity. The flaws impact several NGINX related products and components, prompting security experts to urge organizations running affected deployments to apply available patches and review mitigation guidance. While F5 has not reported active exploitation of either vulnerability, the company noted that security weaknesses affecting F5 and NGINX products have historically attracted significant attention from threat actors. The disclosure follows reports from last month involving another critical NGINX vulnerability, CVE-2026-42945, also known as NGINX Rift, which entered active exploitation shortly after becoming public.
The first vulnerability, CVE-2026-42530, affects the ngx_http_v3_module and is classified as a use after free flaw. According to F5, the issue can be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module. By crafting a malicious HTTP/3 session that reopens a QPACK encoder stream, an attacker may be able to execute code on systems where Address Space Layout Randomization, commonly known as ASLR, is disabled or where ASLR protections can be bypassed. The vulnerability impacts NGINX Open Source versions 1.31.0 through 1.31.1 and has been addressed in version 1.31.2. Additional affected products include NGINX Gateway Fabric, NGINX Instance Manager, and several versions of NGINX Ingress Controller. F5 recommends disabling HTTP/3 functionality as a temporary mitigation measure for organizations unable to immediately deploy updates. Further technical analysis from researcher Trung Nguyen of CyStack, who helped identify and report the flaw, revealed that the issue stems from what he described as a lifetime mismatch. In this scenario, a pointer associated with an HTTP/3 session continues to reference memory belonging to a stream that has already been closed and freed, creating conditions that allow the vulnerable code path to be exploited.
The second vulnerability, CVE-2026-42055, is a heap based buffer overflow affecting ngx_http_proxy_v2_module and ngx_http_grpc_module. F5 stated that the flaw can be exploited remotely without authentication when NGINX is configured to proxy HTTP/2 traffic through the proxy_http_version 2 directive or grpc_pass directive, while ignore_invalid_headers is disabled and large_client_header_buffers is configured with a size greater than 2 MB. Under these circumstances, an attacker could potentially achieve code execution on systems lacking effective ASLR protections. The vulnerability affects a broad range of products, including NGINX Plus, NGINX Open Source, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX App Protect DoS, NGINX Gateway Fabric, and NGINX Ingress Controller. Patches have been released across affected product lines, including NGINX Open Source 1.30.3 and 1.31.2, as well as NGINX Plus 37.0.2.1 and NGINX Plus R36 P6. For environments where immediate patching is not possible, F5 advises removing the ignore_invalid_headers off directive or reducing the large_client_header_buffers value below 2 MB.
Researchers provided additional technical details regarding the root cause of CVE-2026-42055, explaining that the vulnerability arises from how HPACK encoded data is processed. According to Nguyen, the request builder allocates a fixed four byte space for the length prefix of an HPACK string, but the HPACK variable integer encoder can generate five bytes when handling values exceeding 2,097,278. This discrepancy allows attacker controlled data to be written beyond the allocated memory boundary, resulting in a heap overflow condition. In addition to potential code execution, specially crafted oversized requests could repeatedly crash worker processes and cause sustained denial of service conditions. Security teams are encouraged to identify affected deployments, apply the latest security updates, and validate configurations to reduce exposure. The disclosure serves as another reminder of the importance of maintaining current software versions and monitoring critical infrastructure components for vulnerabilities that could be leveraged to compromise cloud and web application environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
