Critical NGINX vulnerabilities CVE-2026-42530 and CVE-2026-42055 fixed by F5

F5 has released security updates that address two critical vulnerabilities in NGINX Open Source and related products. Both vulnerabilities — CVE-2026-42530 and CVE-2026-42055 — have been assigned a CVSS v4 score of 9.2 and allow a remote, unauthenticated attacker to achieve arbitrary code execution under certain configurations. A wide range of products is affected, from NGINX Open Source and NGINX Plus to NGINX Ingress Controller, Gateway Fabric, Instance Manager, and WAF/DoS components. Administrators are advised to immediately update affected installations to the fixed versions or apply the proposed mitigations.

Technical analysis of the vulnerabilities

CVE-2026-42530: use-after-free in the HTTP/3 module

A use-after-free vulnerability has been discovered in the ngx_http_v3_module. According to the F5 security advisory, exploitation is possible when NGINX is configured to use the HTTP/3 QUIC module. An attacker can reopen the QPACK encoder stream via a specially crafted HTTP/3 session, which leads to access to memory that has already been freed. Arbitrary code execution is possible on systems where ASLR (Address Space Layout Randomization) is disabled, or if the attacker has a way to bypass ASLR.

Affected products:

• NGINX Open Source 1.31.0 – 1.31.1 (fixed in 1.31.2)
• NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
• NGINX Gateway Fabric 1.3.0 – 1.6.2 (fixed version not specified)
• NGINX Instance Manager 2.17.0 – 2.22.0 (fixed version not specified)
• NGINX Ingress Controller 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.5.0 (fixed versions not specified)

CVE-2026-42055: heap-based buffer overflow in HTTP/2 modules

The second vulnerability is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. As stated in the corresponding F5 advisory, exploitation requires several conditions to be met simultaneously: use of the proxy_http_version 2 or grpc_pass directives to proxy HTTP/2 traffic, the ignore_invalid_headers directive set to off, and a large_client_header_buffers value greater than 2 MB. As with the first vulnerability, code execution is possible when ASLR is disabled or successfully bypassed.

This vulnerability affects a significantly broader range of products:

• NGINX Open Source 1.31.1 (fixed in 1.31.2)
• NGINX Open Source 1.30.0 – 1.30.2 (fixed in 1.30.3)
• NGINX Plus 37.0.0 – 37.0.1 (fixed in 37.0.2.1)
• NGINX Plus R33 – R36 (fixed in R36 P6)
• NGINX Gateway Fabric 2.0.0 – 2.6.3 (fixed in 2.6.4)
• NGINX Gateway Fabric 1.3.0 – 1.6.2
• NGINX Instance Manager 2.17.0 – 2.22.0
• F5 WAF for NGINX 5.9.0 – 5.13.1
• NGINX App Protect WAF 4.10.0 – 4.16.0, 5.2.0 – 5.8.0
• F5 DoS for NGINX 4.9.0
• NGINX App Protect DoS 4.3.0 – 4.7.0
• NGINX Ingress Controller 3.5.0 – 3.7.2, 4.0.0 – 4.0.1, 5.0.0 – 5.5.0

The CVE registry entries are available at: CVE-2026-42530 and CVE-2026-42055.

Assessment of real-world risk

Despite the high CVSS 9.2 scores, practical exploitation of both vulnerabilities is constrained by several factors. For CVE-2026-42530, the configuration must have the HTTP/3 QUIC module enabled — functionality that is still not standard for most NGINX deployments. For CVE-2026-42055, an even more specific combination is required: HTTP/2 proxying, header validation explicitly disabled, and an unusually large buffer size. In addition, code execution in both cases depends on ASLR being disabled or bypassed — on modern Linux systems, ASLR is enabled by default.

F5 does not report any instances of these vulnerabilities being exploited in real‑world attacks. Neither CVE is listed in the CISA KEV catalog. Nevertheless, F5 and NGINX products have historically been attractive targets for attackers due to their widespread use as reverse proxies, load balancers, and entry points into corporate networks and Kubernetes clusters.

Special attention should be paid by organizations that use NGINX in Kubernetes environments via NGINX Ingress Controller or NGINX Gateway Fabric: compromise of these components can give an attacker access to all traffic passing through the cluster.

Remediation recommendations

The top priority is to update to the fixed versions:

• NGINX Open Source: update to 1.31.2 (mainline) or 1.30.3 (stable)
• NGINX Plus: update to 37.0.2.1 or install R36 P6
• NGINX Gateway Fabric: update to 2.6.4

If immediate updating is not possible, F5 suggests the following mitigations:

• For CVE-2026-42530: disable HTTP/3 in the NGINX configuration
• For CVE-2026-42055: remove the ignore_invalid_headers off directive from the configuration (by default, header validation is enabled), or reduce the large_client_header_buffers size to less than 2 MB

For several affected products — NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF/DoS, and some Ingress Controller branches — the advisories do not yet specify fixed versions. Administrators of these products should monitor advisory updates K000161616 and K000161584 and, as a temporary measure, apply the configuration changes described above.

Given the critical severity of the vulnerabilities and the broad range of affected products, organizations should first audit their NGINX configurations for use of HTTP/3 QUIC and non‑standard HTTP/2 proxy settings, and then plan updates within the next maintenance window. For Kubernetes deployments, the priority of updating Ingress Controller and Gateway Fabric should be elevated, since these components handle all incoming cluster traffic.