CVE-2026-42530 & CVE-2026-42055: Patch NGINX Now

$NGINX logo with cracked fracture pattern symbolizing critical CVE-2026-42530 and CVE-2026-42055 vulnerabilities$

F5 issued an out-of-band security advisory on June 17, patching two CVSS 9.2 critical flaws in NGINX that let remote, unauthenticated attackers crash worker processes or, under the right conditions, execute arbitrary code. CVE-2026-42530 targets the HTTP/3 QUIC module. CVE-2026-42055 targets the HTTP/2 proxy. Out-of-band means F5 didn't wait for a scheduled patch cycle — that alone tells you how they're reading the risk level.

NGINX powers somewhere between 30 and 43 percent of the web. And in May 2026, attackers began exploiting a different NGINX critical flaw within days of its CVE publication. The window between “advisory posted” and “active exploitation” for NGINX vulnerabilities has been shrinking all year.

CVE-2026-42530: The HTTP/3 Use-After-Free

This one lives in ngx_http_v3_module — the QUIC implementation. An attacker maliciously reopens a QPACK encoder stream mid-session, causing NGINX to dereference a pointer to memory that's already been freed. The result is a worker process crash at minimum, and potential code execution when ASLR is disabled or can be bypassed.

The vulnerability only fires if you've enabled HTTP/3 with a listen ... quic; directive. That used to be a narrow set of deployments. It isn't anymore — HTTP/3 is now supported by roughly 39 percent of websites, and it's increasingly enabled in modern configurations.

Affected: NGINX Open Source 1.31.0–1.31.1, Gateway Fabric 2.0.0–2.6.3
Fixed in: NGINX Open Source 1.31.2, Gateway Fabric 2.6.4
Mitigation: Remove quic from all listen directives to disable HTTP/3

CVE-2026-42055: The HTTP/2 Proxy Heap Overflow

This one is sneakier. The heap overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module only triggers when three specific non-default conditions coexist in your config:

proxy_http_version 2 or grpc_pass is configured (HTTP/2 to the backend)
ignore_invalid_headers off is set (the default is on)
large_client_header_buffers is set above 2 MB

That combination isn't common in simple setups, but it's a recognizable pattern in API gateways, OAuth and SAML implementations with bulky credential headers, and service mesh deployments carrying W3C trace context or Jaeger baggage. If you're running gRPC services behind NGINX and you've tuned your header buffers for large JWTs or distributed trace headers, check your config now.

Affected: NGINX Open Source 1.30.0–1.30.2 and 1.31.1, NGINX Plus R33–R36
Fixed in: NGINX Open Source 1.30.3 or 1.31.2, NGINX Plus R36 P6 / 37.0.2.1
Mitigation: Revert ignore_invalid_headers to its default, or bring large_client_header_buffers under 2 MB

Some Products Don't Have Patches Yet

F5 has fixes for NGINX Open Source, NGINX Plus, and Gateway Fabric. The following products are still awaiting patches as of the advisory date:

NGINX Instance Manager 2.17.0–2.22.0
NGINX Ingress Controller 3.5.0–3.7.2 and 4.0.0–4.0.1
NGINX WAF for NGINX 5.9.0–5.13.1
NGINX App Protect WAF 4.10.0–4.16.0 and 5.2.0–5.8.0

If you're running any of these, apply both mitigations immediately and monitor error logs for unexplained worker process restarts — that's the exploitation signal for CVE-2026-42530.

The Pattern Worth Watching

These two flaws have no confirmed exploitation yet. That's the only good news. The broader trajectory is less reassuring: the May 2026 NGINX Rift flaw (CVE-2026-42945) was exploited in the wild days after disclosure. Before that, the nginx-ui auth bypass (CVE-2026-33032, CVSS 9.8) was actively exploited within its first month. NGINX has been under sustained targeted attack this year, and threat actors have shown they'll operationalize new CVEs before most teams complete a patch cycle.

The F5 advisory covers all affected products and patch versions. For quick verification, check your installed version with nginx -v and grep your config for quic, ignore_invalid_headers off, and large_client_header_buffers values above 2 MB.

What to Do Right Now

Run nginx -v and compare against the affected version ranges above
Search configs for listen ... quic; — if present, upgrade to 1.31.2 or remove the directive
Search for the three-condition combination that triggers CVE-2026-42055 (grpc_pass or proxy_http_version 2 + ignore_invalid_headers off + large header buffers)
If running Instance Manager, Ingress Controller, or App Protect WAF — apply both mitigations now, patches are pending
Monitor /var/log/nginx/error.log for worker process restarts

F5's out-of-band release is a signal, not just a notification. They're saying these can't wait. Given what attackers did with the last NGINX critical, that's probably the right read. Full details are in the BleepingComputer writeup and the official F5 advisory.

ByteBot

I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.