F5 Patches Two Critical NGINX Open Source Flaws (CVE-2026-42530, CVE-2026-42055)

Two critical NGINX Open Source patches — defenders running reverse-proxy and web-tier deployments should verify the patched versions this week.

Share
Flat white line-art of a proxy server stack with two routing arrows and a patch tile, on an Oxblood background — F5 NGINX Open Source critical patches.

Key Takeaways

  • F5 published out-of-band security advisories and patches on June 17, 2026 for two critical vulnerabilities in NGINX Open Source — CVE-2026-42530, a use-after-free in the HTTP/3 module, and CVE-2026-42055, a heap-based buffer overflow in the HTTP/2 proxy and gRPC modules — each rated CVSS v4 9.2.
  • Both flaws can be reached by a remote, unauthenticated attacker and can lead to remote code execution, but only under specific non-default configurations and on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed; the affected NGINX Open Source builds are fixed in versions 1.31.2 and 1.30.3.
  • F5 reported no evidence of exploitation in the wild at disclosure and neither CVE is listed in CISA's Known Exploited Vulnerabilities catalog, but the fixes also span NGINX Plus and other NGINX products, so defenders should verify the patched build across every reverse-proxy and web-tier deployment.

Two critical NGINX Open Source patches — defenders running reverse-proxy and web-tier deployments should verify the patched versions this week.

SEATTLE, WASHINGTON — F5 on June 17, 2026 published out-of-band security advisories and patches for two critical vulnerabilities in NGINX Open Source, the web server and reverse-proxy software that fronts a large share of the public internet, urging operators to move to a fixed build. The first, tracked as CVE-2026-42530, is a use-after-free in the HTTP/3 module; the second, CVE-2026-42055, is a heap-based buffer overflow in the HTTP/2 proxy and gRPC modules. F5 assigned each a CVSS v4 score of 9.2, and both can be reached by a remote, unauthenticated attacker. The company reported no evidence of exploitation in the wild at disclosure.

The advisories read as a patch-prioritization problem rather than a breach story, but the placement matters: NGINX sits at the web tier, terminating connections and proxying traffic to the applications behind it, which makes a critical flaw in it a front-door concern. Both vulnerabilities require specific, non-default configurations to be reachable and depend on Address Space Layout Randomization (ASLR) being disabled or bypassed to reach code execution, which narrows real-world impact — but the affected component and its position in the stack put verification near the top of any vulnerability-management queue this week.

At a Glance
FieldDetails
CVEsCVE-2026-42530 (HTTP/3); CVE-2026-42055 (HTTP/2 proxy / gRPC)
ProductNGINX Open Source (fixes also span NGINX Plus and related NGINX products)
TypeUse-after-free (42530); heap-based buffer overflow (42055) — remote code execution under specific configs
Severity / CVSSCritical — CVSS v4 9.2 (both)
AffectedNGINX Open Source 1.31.0 and 1.31.1; 1.30.x branch (CVE-2026-42055)
Fixed inNGINX Open Source 1.31.2 and 1.30.3
ExploitationNone reported at disclosure; not in CISA KEV
DisclosedJune 17, 2026 (out-of-band)

What F5 Disclosed

In a pair of out-of-band advisories published on June 17, 2026, F5 — the company that has stewarded NGINX since its 2019 acquisition — described two critical vulnerabilities affecting NGINX Open Source. The first, CVE-2026-42530, is a use-after-free vulnerability in the ngx_http_v3_module. According to F5, it can be triggered by a remote, unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module and is sent a specially crafted HTTP/3 session that reopens a QPACK encoder stream. The second, CVE-2026-42055, is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. F5 assigned each a CVSS v4 base score of 9.2, placing both in the critical band.

The conditions for each flaw are specific, and that detail matters for triage. CVE-2026-42530 is only reachable when the HTTP/3 QUIC module is in use — a configuration that is not enabled by default in many deployments. CVE-2026-42055 requires that NGINX be set to proxy HTTP/2 traffic upstream (via the proxy_http_version 2 or grpc_pass directives), with the ignore_invalid_headers directive turned off and large_client_header_buffers sized above 2 MB. In both cases, F5 noted that reaching remote code execution further depends on Address Space Layout Randomization being disabled or otherwise bypassed; absent that, the more likely outcome is a worker-process crash and denial of service.

It is worth distinguishing NGINX Open Source from NGINX Plus here. The advisory for CVE-2026-42530 and the advisory for CVE-2026-42055 center on the open-source distribution, with affected builds reported as versions 1.31.0 and 1.31.1, plus the 1.30.x branch for CVE-2026-42055; F5 fixed the open-source flaws in versions 1.31.2 and 1.30.3. F5 also shipped corresponding fixes for its commercial NGINX Plus product and other NGINX-family software, so organizations running the paid distribution or related components such as NGINX Gateway Fabric should not assume the open-source version numbers describe their exposure. F5 reported no evidence of in-the-wild exploitation at disclosure, and as of publication neither CVE appears in CISA's Known Exploited Vulnerabilities catalog.

Why NGINX Open Source Patch Cycles Matter for Defender Teams

NGINX occupies an exposed position in most architectures. As a web server and reverse proxy, it commonly terminates inbound connections at the edge, handles TLS, and forwards requests to the application servers behind it. That placement is precisely what makes a critical flaw in it a defender priority: the component sits on the network path that the broadest set of clients can reach, often before any application-layer authentication is in play.

The reasoning is straightforward. A reverse proxy is, by design, reachable from the networks that need to reach the service it fronts — frequently the public internet. A memory-safety flaw in that tier means the precondition that slows many vulnerabilities down, needing valid credentials first, can be absent. Both of this week's flaws are described as unauthenticated and remotely reachable, which is exactly the profile that warrants placing them near the front of a patch-management program rather than in its long tail — even when, as here, the configuration preconditions narrow the population of genuinely exposed servers.

There is also a recent-history reason to take NGINX advisories seriously rather than waiting. As The CyberSignal reported last month, an 18-year-old flaw in the NGINX rewrite module moved from public disclosure to active exploitation within days. The same short fuse appeared when a critical Apache HTTP Server double-free flaw surfaced earlier in the year. None of that means these specific flaws will follow the same arc, but it argues for treating critical web-tier disclosures as time-sensitive verification cycles by default.

Patch Verification Across Reverse-Proxy and Web-Tier Deployments

F5's guidance is direct: upgrade to a fixed build. For NGINX Open Source, that means moving affected installations to version 1.31.2 or, on the older branch, 1.30.3, a point echoed in reporting from The Hacker News on the out-of-band release. The practical work for most teams, however, is verification rather than discovery, because NGINX rarely runs as a single, easily inventoried instance. It is bundled into container images, baked into appliances, deployed as ingress controllers in Kubernetes, and run as standalone reverse proxies across many footprints at once.

The first task is therefore an inventory pass: identify every NGINX deployment across the estate and determine the exact build each is running. Because the flaws are confined to specific version ranges, knowing whether an instance is on an affected 1.31.x or 1.30.x build — versus a fixed 1.31.2 or 1.30.3 — is the difference between an action item and a non-issue. A representative build on one host does not speak for the whole environment, particularly where NGINX arrives indirectly inside images and third-party products that teams do not always track as NGINX.

Configuration review pairs naturally with the version check, because exposure here is configuration-dependent. Teams can confirm whether the HTTP/3 QUIC module is actually enabled (the precondition for CVE-2026-42530) and whether any deployment proxies HTTP/2 upstream with the specific directive combination CVE-2026-42055 requires. Where those conditions are not present, the immediate risk is lower even before patching — but the durable answer is still to land the fixed build, since configurations change and the version is the control that does not drift. The maintenance window is also a reasonable moment to confirm that the proxy's management surfaces are not exposed more broadly than they need to be.

Detection-Engineering Review

Patching closes the specific holes, but a critical flaw at the web tier is also a prompt to confirm that the tier itself is observable. The preconditions for both flaws — malformed or unusual protocol traffic reaching an exposed NGINX listener — map onto detection and monitoring opportunities worth confirming regardless of patch status, and without any need to model a specific exploit technique.

Teams can use the advisories as an occasion to verify coverage of the proxy layer: are NGINX error and access logs being collected and reviewed centrally; would a sustained pattern of worker-process crashes or restarts generate a signal rather than passing unnoticed; and is there visibility into which listeners are exposed to which networks? Because the likely failure mode short of full code execution is a crashing worker process and denial of service, telemetry that surfaces abnormal restart rates and segmentation faults on NGINX hosts is especially relevant here.

None of this is tied to a single payload, and that is the point. Treating the reverse-proxy tier as a monitored, access-controlled, high-value asset — rather than as silent plumbing that forwards traffic and is otherwise ignored — is the control that outlasts any one CVE. It sits alongside patching, and it is the kind of step a mature detection-engineering program builds in by design rather than bolting on after an advisory lands.

Open Questions

Several points are worth keeping in view. F5 reported no evidence of exploitation in the wild at disclosure, and neither CVE-2026-42530 nor CVE-2026-42055 is listed in CISA's Known Exploited Vulnerabilities catalog as of publication. What remains open is how quickly proof-of-concept research emerges and whether either flaw is scanned for at scale — a sequence that, for widely deployed web infrastructure, has sometimes unfolded over days rather than weeks.

There is also the question of reach. The headline figures attach to NGINX Open Source, but F5's fixes span NGINX Plus and other NGINX-family products, and the open-source version numbers do not describe exposure for those components. Organizations running the commercial distribution, ingress controllers, or related modules should map their own products against F5's per-product advisories rather than the open-source build numbers alone, and verify version specifics against F5's articles for their exact deployment.

What is confirmed is enough to act on: two critical, CVSS 9.2 vulnerabilities in NGINX Open Source, remotely reachable without authentication under specific configurations, with fixed builds available now and no exploitation reported at disclosure. Given where NGINX sits in the stack, the prudent reading is to treat verification of every reverse-proxy and web-tier deployment as a near-term, high-priority cycle, and to use the disclosure as a trigger for a configuration and monitoring review of the proxy layer.


The CyberSignal Analysis

The reported facts above are F5's advisory details; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Configuration Preconditions Buy Time, They Do Not Buy Safety

The most consequential detail in these two advisories is not the CVSS 9.2 rating but the fine print that both flaws depend on specific, non-default configurations and on ASLR being disabled or bypassed to reach code execution. That narrowing is real, and it is why we would not treat this as an all-hands emergency for every NGINX operator. But the reading that stops there is the wrong one. Configuration preconditions describe the population exposed today; they say nothing about the population exposed after the next templated deployment, the next appliance image, or the next engineer who enables HTTP/3 for a performance win without knowing a memory-safety flaw sits behind it.

Our assessment is that the preconditions should change the pace of the response, not its endpoint. They justify triaging these below an actively exploited, no-conditions RCE — but they do not justify leaving affected builds in place, because the version is the control that holds when configurations drift and the config precondition is not. The defensible posture is to land the fixed build everywhere the affected versions run, and let the configuration review determine only how urgently each instance moves.

Signal 02 — The Web Tier's Value Is Positional, and These Flaws Sit Exactly There

A use-after-free and a heap overflow are unremarkable bug classes in isolation; what makes them worth a defender's attention is where they live. NGINX terminates connections at the edge, handles TLS, and proxies inbound traffic to the applications behind it — which means a memory-safety flaw here is reachable before application-layer authentication is ever in play. Our reading is that the right mental model for the reverse-proxy tier is a crown-jewel asset with a public front door, not silent plumbing that forwards packets and is otherwise ignored.

That reframing has a practical consequence: the marginal effort should go to knowing exactly what runs where. NGINX rarely announces itself as a single inventoried instance — it is baked into container images, appliances, and Kubernetes ingress controllers that teams do not always track as NGINX. The organizations that will close this cleanly are the ones that can answer, quickly and completely, which builds and which configurations are live across the estate. That inventory capability, not the specific patch, is the durable capability these advisories are testing.

Signal 03 — Treat the Quiet Disclosure as the Start of a Clock, Not the End of the Story

F5 reported no exploitation in the wild at disclosure, and neither CVE sits in CISA's Known Exploited Vulnerabilities catalog. It would be easy to read that as permission to defer. We would read it as the calm before a clock starts. Widely deployed web infrastructure has repeatedly compressed the gap between public disclosure and at-scale scanning into days, and the value of a front-door RCE is high enough that proof-of-concept research tends to follow critical advisories quickly.

The forward-looking watch item is therefore the interval between now and the first credible proof-of-concept — and whether an organization's detection of the likely pre-exploitation signature, a pattern of crashing or restarting NGINX worker processes, is instrumented before that interval closes. Our view is that the absence of exploitation today is the best window a team will get to verify builds and monitoring calmly, and that treating it as breathing room rather than a green light is what separates the teams that stay ahead of this class of web-tier flaw from the ones that patch it under duress.


Sources

TypeSource
PrimaryF5 — NGINX ngx_http_v3_module vulnerability CVE-2026-42530 (K000161616)
PrimaryF5 — NGINX ngx_http_proxy_v2_module / ngx_http_grpc_module vulnerability CVE-2026-42055 (K000161584)
ReportingThe Hacker News
ReportingBleepingComputer
RelatedThe CyberSignal — NGINX Rift: CVE-2026-42945 Rewrite-Module RCE
The CyberSignal — Apache HTTP/2 Double-Free RCE