F5 Patches Two Critical NGINX Flaws Enabling Remote Code Execution

F5 has issued emergency out-of-band patches for two critical vulnerabilities in NGINX Open Source, both carrying CVSS scores of 9.2 and capable of allowing remote attackers to execute arbitrary code on affected systems.

The flaws affect core HTTP/3 and HTTP/2 proxy modules that organizations rely on for high-performance web traffic handling. With NGINX powering roughly 34% of all web servers globally, the attack surface here is substantial.

CVE-2026-42530: HTTP/3 Use-After-Free

The first vulnerability resides in the ngx_http_v3_module component responsible for handling HTTP/3 QUIC traffic. According to F5's advisory, the flaw allows a remote unauthenticated attacker to trigger memory corruption by reopening a QPACK encoder stream through a specially crafted HTTP/3 session.

On systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, this memory corruption leads directly to arbitrary code execution. Even with ASLR intact, exploitation causes NGINX worker processes to crash and restart—a denial-of-service condition that could take down web applications.

Affected versions include NGINX Open Source 1.31.0 and 1.31.1. The fix ships in version 1.31.2.

CVE-2026-42055: Heap Overflow in Proxy Modules

The second vulnerability is a heap-based buffer overflow affecting both ngx_http_proxy_v2_module and ngx_http_grpc_module. Exploitation requires a specific configuration: proxy_http_version 2 or grpc_pass directives routing HTTP/2 traffic, combined with ignore_invalid_headers disabled and large_client_header_buffers exceeding 2 MB.

That configuration isn't default, but it's common enough in enterprise deployments handling gRPC microservices. When present, attackers can overflow the heap buffer and achieve code execution under the same ASLR constraints.

This flaw affects a broader range: NGINX Plus R33 through R37, NGINX Open Source 1.29.0 through 1.31.1, and multiple versions of NGINX Ingress Controller and Instance Manager. F5 has patched it in NGINX Plus 37.0.2.1 and NGINX Open Source 1.30.3/1.31.2.

Immediate Actions

Organizations running affected NGINX versions should patch immediately. For those who cannot deploy updates right away, F5 recommends these mitigations:

1. CVE-2026-42530: Remove quic from all listen directives to disable HTTP/3
2. CVE-2026-42055: Remove the ignore_invalid_headers directive or reduce large_client_header_buffers below 2 MB

The timing matters. We've seen critical web server vulnerabilities land in CISA's Known Exploited Vulnerabilities catalog within days of disclosure when proof-of-concept code surfaces. With two CVSS 9.2 flaws now public, threat actors are almost certainly examining these patches to reverse-engineer exploits.

Why This Matters

NGINX sits at the edge of countless corporate networks, handling authentication, load balancing, and API gateway functions. A compromise here gives attackers a foothold before traffic even reaches backend applications. The HTTP/3 flaw is particularly concerning—QUIC adoption is accelerating as organizations chase performance gains, and many deployments may have enabled it recently without hardening the configuration.

Check your NGINX version today. If you're running 1.31.x with HTTP/3 enabled, the clock is ticking.