NGINX Critical Flaws: Patch Before Your Web Server Starts Freelancing

F5 released patches for two critical NGINX Open Source vulnerabilities that could enable remote code execution. CVE-2026-42530 is a use-after-free issue in the HTTP/3 QUIC module affecting certain configurations. CVE-2026-42055 is a heap-based buffer overflow affecting HTTP/2 proxying or gRPC configurations with specific directives. Both have CVSS v4 scores of 9.2. Fixes are available across affected NGINX Open Source, NGINX Plus, Gateway Fabric, Ingress Controller and App Protect products. Mitigations include disabling HTTP/3 or adjusting unsafe configuration directives.

F5 has released fixes for two critical vulnerabilities in NGINX Open Source that could allow remote code execution on affected systems. Given how widely NGINX is used across web hosting, reverse proxying, APIs and cloud-native environments, this is one of those updates worth treating with urgency.
The first flaw, CVE-2026-42530, affects the HTTP/3 QUIC module. A remote unauthenticated attacker could trigger a use-after-free condition using a crafted HTTP/3 session. Exploitation depends on conditions such as ASLR being disabled or bypassed, but the risk remains serious.

The second flaw, CVE-2026-42055, is a heap-based buffer overflow affecting certain HTTP/2 proxy and gRPC configurations. It requires particular directives, including ignore_invalid_headers off and large client header buffers above 2 MB. In vulnerable setups, attackers may be able to crash worker processes or potentially execute code.

The affected product list includes NGINX Open Source, NGINX Plus, Gateway Fabric, Ingress Controller, Instance Manager, App Protect WAF and related F5 components.
F5 advises patching to fixed versions. Where patching cannot be done immediately, organisations should disable HTTP/3 for CVE-2026-42530 and remove risky configuration settings or reduce buffer sizes for CVE-2026-42055.

The practical advice is familiar: know where NGINX runs, check whether HTTP/3, HTTP/2 proxying or gRPC are enabled, patch promptly and monitor for unusual crashes or exploitation attempts.
Web servers are supposed to serve pages, not surprise attackers with root shells.