Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: web-server (1 article)Clear

Critical F5 NGINX flaws allow unauthenticated code execution and crashes

F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.

Check
Inventory NGINX instances and versions across servers, ingress, and gateways, and check whether HTTP/3 (QUIC) or HTTP/2 proxy and gRPC upstreams are enabled, which is what exposes these flaws.
Affected
NGINX Open Source, NGINX Plus, Gateway Fabric, and Instance Manager in non-default configurations using HTTP/3 (CVE-2026-42530) or HTTP/2 proxying and gRPC (CVE-2026-42055); unauthenticated remote attackers can trigger the flaws.
Fix
Upgrade to the fixed releases (NGINX Open Source 1.31.2, Plus 37.0.2.1 or R36 P6, Gateway Fabric 2.6.4). If you cannot patch now, disable HTTP/3 or the affected proxy settings as F5 advises.