Critical F5 NGINX flaws allow unauthenticated code execution and crashes
F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.
- Check
- Inventory NGINX instances and versions across servers, ingress, and gateways, and check whether HTTP/3 (QUIC) or HTTP/2 proxy and gRPC upstreams are enabled, which is what exposes these flaws.
- Affected
- NGINX Open Source, NGINX Plus, Gateway Fabric, and Instance Manager in non-default configurations using HTTP/3 (CVE-2026-42530) or HTTP/2 proxying and gRPC (CVE-2026-42055); unauthenticated remote attackers can trigger the flaws.
- Fix
- Upgrade to the fixed releases (NGINX Open Source 1.31.2, Plus 37.0.2.1 or R36 P6, Gateway Fabric 2.6.4). If you cannot patch now, disable HTTP/3 or the affected proxy settings as F5 advises.