F5 Patches Two Critical NGINX RCE Flaws: CVE-2026-42530 & CVE-2026-42055

F5 has released emergency security updates to address two critical vulnerabilities in NGINX Open Source, both carrying a CVSS v4 score of 9.2, that could allow remote unauthenticated attackers to execute arbitrary code on affected systems. The flaws—CVE-2026-42530 and CVE-2026-42055—target widely deployed modules and require immediate patching, particularly for organizations running web infrastructure exposed to the internet. Administrators can begin by verifying their exposure using a port scanner to identify publicly accessible NGINX instances.

CVE-2026-42530 is a use-after-free vulnerability in the ngx_http_v3_module, triggered when NGINX is configured with the HTTP/3 QUIC module and processes a specially crafted HTTP/3 session that reopens a QPACK encoder stream. CVE-2026-42055 is a heap-based buffer overflow affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module, exploitable when proxy_http_version is set to 2 or grpc_pass directives are in use, ignore_invalid_headers is set to "off," and the large_client_header_buffers directive exceeds 2 MB. Both vulnerabilities require attackers to either disable or bypass Address Space Layout Randomization (ASLR) to achieve reliable code execution. Organizations relying on NGINX as a reverse proxy should run a SSL/TLS checker alongside their patch cycle to confirm cipher and protocol hygiene across front-end endpoints.

Patches have been issued across a broad product surface, including NGINX Open Source 1.30.x and 1.31.x, NGINX Plus R33–R37, NGINX Gateway Fabric, NGINX Instance Manager, NGINX Ingress Controller (3.5.x through 5.5.x), F5 WAF for NGINX, and NGINX App Protect and DoS modules. F5 has also published mitigations for environments where immediate patching is not feasible: administrators are advised to disable HTTP/3 to address CVE-2026-42530, and for CVE-2026-42055, either remove the ignore_invalid_headers off directive or lower large_client_header_buffers below the 2 MB threshold. Network defenders should additionally audit traffic flows for signs of anomalous proxy or QUIC behavior using a VPN/proxy detector to flag unexpected intermediate hops targeting NGINX front-ends.

While F5 has not confirmed in-the-wild exploitation of these specific flaws, the company noted that prior NGINX defects—such as the recently disclosed CVE-2026-42945 ("NGINX Rift")—came under active attack within days of public disclosure, underscoring the narrow window defenders have before threat actors weaponize new code execution bugs. Security teams are urged to prioritize patching or mitigation across all affected versions and to monitor NGINX logs for unusual HTTP/3 session resets, oversized header payloads, and unexpected grpc_pass traffic patterns.