CyberSecurityBoardThreat Intel · CVEs · Products
Critical CVEs

F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

June 25, 2026

F5 has released security updates to address two critical vulnerabilities in NGINX Open Source that could allow remote code execution. The flaws, CVE-2026-42530 and CVE-2026-42055, both carry a CVSS v4 score of 9.2. CVE-2026-42530 is a use-after-free vulnerability in the ngx_http_v3_module triggered via a specially crafted HTTP/3 session. CVE-2026-42055 is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules when proxying HTTP/2 traffic under specific configurations. Both require ASLR bypass or disabled ASLR for exploitation. Patched versions include NGINX Open Source 1.31.2, NGINX Plus 37.0.2.1, and various NGINX Gateway Fabric, Instance Manager, Ingress Controller, and App Protect releases. Mitigations include disabling HTTP/3 for CVE-2026-42530 and adjusting configuration directives for CVE-2026-42055. While no active exploitation has been reported, F5 products have been targeted in the past. The vulnerabilities were discovered and reported by CyStack’s Trung Nguyen.

CVEs: CVE-2026-42530, CVE-2026-42055, CVE-2026-42945, CVE-2026-11645

Companies: F5, CyStack

Products: NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, NGINX Instance Manager, NGINX Ingress Controller, NGINX App Protect WAF, NGINX App Protect DoS, F5 WAF for NGINX, F5 DoS for NGINX