F5 Releases Patches for Two Critical NGINX Open Source Flaws

F5 has released security updates for NGINX Open Source. The patches fix two critical flaws that could create serious risk for affected systems.

The two flaws are CVE-2026-42530 and CVE-2026-42055. Both have a CVSS v4 score of 9.2. Because of this, IT and security teams should review their NGINX systems as soon as possible.

This issue matters because many companies use NGINX as a web server, reverse proxy, and cloud component. If teams do not fix the flaws, exposed systems may face higher risk.

What Is the Main Risk?

The main risk is service disruption and possible remote code execution. In simple terms, an attacker may be able to affect NGINX from a remote location.

However, not every NGINX setup is vulnerable. These flaws need specific versions and settings. So, teams should check both the NGINX version and the active configuration.

Also, internet-facing systems need faster attention. Attackers often scan public systems for newly disclosed flaws.

CVE-2026-42530: A Flaw in HTTP/3 QUIC

CVE-2026-42530 is a use-after-free flaw in the ngx_http_v3_module. This module supports HTTP/3 and QUIC.

A remote attacker may trigger the flaw without logging in. However, the affected NGINX system must use the vulnerable HTTP/3 QUIC setup.

If the attack works, it may crash or disrupt the NGINX worker process. In some cases, it may also lead to code execution.

As a temporary step, F5 recommends disabling HTTP/3. This can reduce risk before teams apply the patch.

CVE-2026-42055: A Flaw in HTTP/2 Proxy and gRPC

CVE-2026-42055 is a heap-based buffer overflow flaw. It affects the ngx_http_proxy_v2_module and ngx_http_grpc_module modules.

The risk appears when NGINX proxies HTTP/2 or gRPC traffic. Also, certain settings must be present.

For example, the setup may use proxy_http_version 2 or grpc_pass. The risk also increases when ignore_invalid_headers is set to off and large_client_header_buffers is larger than 2 MB.

Therefore, teams should review NGINX configuration files carefully. If they find these settings, they should fix them quickly.

Which Versions Need Updates?

F5 has released fixed versions for affected products. For CVE-2026-42530, NGINX Open Source 1.31.0 and 1.31.1 are affected.

For CVE-2026-42055, NGINX Open Source 1.31.1 is affected. NGINX Open Source 1.30.0 through 1.30.2 are also affected. The fixed versions are 1.31.2 and 1.30.3.

Several related products may also be affected. These include NGINX Plus, NGINX Gateway Fabric, NGINX Instance Manager, and NGINX Ingress Controller.

Because of this, teams should check all NGINX-related components. They should not only check the main web server.

Recommended Mitigation Steps

The best step is to update to a fixed version. However, teams may need temporary actions before they can patch.

For CVE-2026-42530, disable HTTP/3. This is useful when the organization does not need HTTP/3 right away.

For CVE-2026-42055, remove the ignore_invalid_headers off setting. Also, reduce large_client_header_buffers to less than 2 MB.

After making changes, reload or restart NGINX using the normal process. Then, confirm that the new configuration is active.

Why Teams Should Act Fast

The Hacker News reported that F5 did not mention active exploitation for these two flaws. However, attackers have abused F5 and NGINX flaws in the past.

Because of this, delayed patching can increase risk. The risk is higher when NGINX supports public websites, API gateways, or production services.

Also, attackers often move quickly after new flaws become public. Once technical details spread, exploit attempts may appear faster.

Key Takeaway

These two NGINX flaws deserve serious attention. They may cause service disruption and possible remote code execution.

The safest action is to update NGINX to a fixed version. Teams should also review HTTP/3, HTTP/2 proxy, gRPC, and header buffer settings.

In the end, fast patching and safe configuration matter most. With the right steps, organizations can reduce risk before attackers take advantage of the flaws.

Source: https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html