Introduction
F5 has issued essential security updates to address two significant vulnerabilities discovered in NGINX Open Source. These flaws, if exploited, could permit unauthorized code execution on vulnerable systems. The updates are critical for organizations using NGINX in their operations to secure their infrastructure against potential threats.
Both vulnerabilities have been assigned a CVSS v4 score of 9.2, indicating their high severity. The first vulnerability, identified as CVE-2026-42530, involves a use-after-free issue in the ngx_http_v3_module. The second, CVE-2026-42055, is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. Both vulnerabilities pose significant risks if left unpatched.
Details of the Vulnerabilities
The CVE-2026-42530 vulnerability can be triggered by a remote attacker when the HTTP/3 QUIC module is configured in NGINX Open Source. This flaw allows an attacker to reopen a QPACK encoder stream with a specially crafted HTTP/3 session, potentially executing code on systems where Address Space Layout Randomization (ASLR) is either bypassed or disabled.
The CVE-2026-42055 vulnerability, on the other hand, can be exploited when NGINX is configured to proxy HTTP/2 traffic with certain directives enabled. Specifically, if the ignore_invalid_headers directive is set to off and the large_client_header_buffers directive exceeds 2 MB, an attacker can execute arbitrary code on affected systems, especially those not protected by ASLR.
Patch Releases and Mitigation
F5 has released patches to fix these vulnerabilities in various versions of NGINX. For CVE-2026-42530, the issue has been resolved in NGINX Open Source version 1.31.2 and NGINX Gateway Fabric version 2.6.4, among others. Similarly, the CVE-2026-42055 vulnerability has been addressed in NGINX Plus version 37.0.2.1 and subsequent versions.
To mitigate the risks associated with CVE-2026-42530, F5 advises disabling the HTTP/3 protocol. For CVE-2026-42055, it is recommended to remove the ignore_invalid_headers off directive from configurations and reduce the size of large_client_header_buffers below 2 MB. These actions can help prevent potential exploitation until patches are applied.
Importance of Timely Updates
While F5 has not reported any active exploitation of these vulnerabilities, previous instances have shown that security flaws in F5 products are often targeted by cybercriminals. Just last month, another critical flaw termed NGINX Rift was exploited shortly after its disclosure. This history underscores the importance of promptly applying security patches to protect against unauthorized access and potential breaches.
Organizations relying on NGINX should prioritize these updates to safeguard their networks and maintain robust cybersecurity defenses. Regular monitoring and timely application of patches are essential practices in mitigating the risks associated with software vulnerabilities.
