F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution

F5 released emergency updates for critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) that could enable unauthenticated code execution.

F5 has issued out-of-band patches for multiple NGINX vulnerabilities, including two critical flaws, respectively tracked as CVE-2026-42530 and CVE-2026-42055 (CVSS 9.2). The bugs affect HTTP modules and can be exploited remotely without authentication to trigger memory corruption, potentially causing service restarts or enabling arbitrary code execution.

The flaw CVE-2026-42530 (CVSS score of 9.2) is a critical Use-After-Free vulnerability in the ngx_http_v3_module of NGINX Open Source. When HTTP/3 QUIC support is enabled, a remote unauthenticated attacker can exploit a specially crafted HTTP/3 session to reopen a QPACK encoder stream, causing memory corruption in the NGINX worker process. Successful exploitation may lead to service disruption and worker process restarts, and under certain conditions, such as when ASLR is disabled or bypassed, could allow arbitrary code execution.

“NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-After-Free in the NGINX worker process, leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. (CVE-2026-42530)” reads the advisory. “This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only.”

The second flaw, tracked as CVE-2026-42055 (CVSS score of 9.2), is a critical heap-based buffer overflow vulnerability affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module in NGINX Open Source and Plus. Under specific configurations involving HTTP/2 proxying, disabled header validation, and large header buffers, a remote unauthenticated attacker can send specially crafted oversized headers to trigger memory corruption in the worker process. Successful exploitation may cause service disruption and worker process restarts, and in environments where ASLR is disabled or bypassed, could potentially lead to arbitrary code execution.

“This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution; however, exploitation requires non-default configuration to be present.” states the advisory.

The vulnerability can lead to DoS or potential code execution, but only in non-default configurations. Exploitation requires HTTP/2 proxying, disabled header validation, and unusually large header buffers. Default deployments are not affected, and the issue impacts only the data plane, not the control plane.

F5 has released security updates for NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to fix the recently disclosed vulnerabilities.

The company also addressed two high-severity vulnerabilities, tracked as CVE-2026-11311 and CVE-2026-50107, in NGINX Gateway Fabric that could allow authenticated attackers to inject arbitrary NGINX configuration directives.

At this time, there is no news of attacks in the wild exploiting one of the vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, F5)