Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

F5 Patches Critical NGINX Flaws, Warns of Remote Code Execution Risks



F5 has released security patches to address two critical vulnerabilities in NGINX Open Source, which could allow remote code execution on affected systems. System administrators are advised to patch their systems and implement recommended mitigations to prevent exploitation by malicious actors.

  • F5 Networks has released security patches for two critical vulnerabilities in NGINX Open Source.
  • The vulnerabilities have a CVSS v4 score of 9.2, indicating high-severity risks.
  • CVE-2026-42530 is related to a use-after-free vulnerability in the HTTP/3 QUIC module.
  • CVE-2026-42055 involves a heap-based buffer overflow vulnerability in the proxy HTTP/2 traffic processing module.
  • Patches are available for NGINX products, including Open Source, Gateway Fabric, and more.
  • Recommendations to mitigate these vulnerabilities include disabling HTTP/3 and adjusting configuration directives.
  • Both vulnerabilities have been exploited in the wild before public disclosure.
  • System administrators are advised to patch their systems immediately and remain vigilant against emerging threats.



    • F5 Networks has recently released security patches to address two critical vulnerabilities found in the popular open-source web server software, NGINX Open Source. The identified flaws, denoted as CVE-2026-42530 and CVE-2026-42055, have been rated at a CVSS v4 score of 9.2, indicating that they are considered high-severity vulnerabilities with significant exploitation risks.

    CVE-2026-42530 is related to a use-after-free vulnerability in the ngx_http_v3_module of NGINX Open Source, which could potentially be exploited by an unauthenticated remote attacker when the HTTP/3 QUIC module is used. This vulnerability can allow the attacker to reopen a QPACK encoder stream using specially crafted HTTP/3 sessions and execute arbitrary code on vulnerable systems with Address Space Layout Randomization (ASLR) disabled or bypassed.

    On the other hand, CVE-2026-42055 involves a heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules of NGINX Open Source. This vulnerability can be triggered by an unauthenticated remote attacker when specific directives are used during proxy HTTP/2 traffic processing. The attackers could potentially exploit this flaw to execute arbitrary code on vulnerable systems with ASLR disabled or bypassed.

    It is worth noting that both vulnerabilities have been patched in the latest versions of NGINX products, including:

    * CVE-2026-42530 - NGINX Open Source 1.31.0 - 1.31.1 (Fixed in 1.31.2),
    * NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4),
    * NGINX Gateway Fabric 1.3.0 - 1.6.2,
    * NGINX Instance Manager 2.17.0 - 2.22.0,
    * NGINX Ingress Controller 5.0.0 - 5.5.0,
    * NGINX Ingress Controller 4.0.0 - 4.0.1, and
    * NGINX Ingress Controller 3.5.0 - 3.7.2.
    * CVE-2026-42055 - NGINX Plus 37.0.0 - 37.0.1 (Fixed in 37.0.2.1),
    * NGINX Plus R33 - R36 (Fixed in R36 P6),
    * NGINX Open Source 1.31.1 (Fixed in 1.31.2),
    * NGINX Open Source 1.30.0 - 1.30.2 (Fixed in 1.30.3),
    * NGINX Instance Manager 2.17.0 - 2.22.0,
    * F5 WAF for NGINX 5.9.0 - 5.13.1,
    * NGINX App Protect WAF 5.2.0 - 5.8.0,
    * NGINX App Protect WAF 4.10.0 - 4.16.0,
    * F5 DoS for NGINX 4.9.0,
    * NGINX App Protect DoS 4.3.0 - 4.7.0,
    * NGINX Gateway Fabric 2.0.0 - 2.6.3 (Fixed in 2.6.4),
    * NGINX Gateway Fabric 1.3.0 - 1.6.2,
    * NGINX Ingress Controller 5.0.0 - 5.5.0,
    * NGINX Ingress Controller 4.0.0 - 4.0.1, and
    * NGINX Ingress Controller 3.5.0 - 3.7.2.

    To mitigate these vulnerabilities, F5 recommends disabling HTTP/3 in affected systems, as well as removing the "ignore_invalid_headers off" directive from the configuration or reducing the large_client_header_buffers directive size below 2 MB.

    Unfortunately, both of these vulnerabilities have been exploited in the wild before their public disclosure. The discovery of CVE-2026-42945, another critical security defect in NGINX Plus and NGINX Open Source also referred to as "NGINX Rift," has shown that similar security flaws in F5 products are repeatedly being exploited by malicious actors.

    In light of these risks, system administrators are advised to take immediate action to patch their systems and adhere to the recommended mitigations provided by F5. Furthermore, ongoing vigilance against emerging threats is necessary to ensure the continued integrity and security of vulnerable systems.


    Related Information:
  • https://www.ethicalhackingnews.com/articles/F5-Patches-Critical-NGINX-Flaws-Warns-of-Remote-Code-Execution-Risks-ehn.shtml

  • https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-42530

  • https://www.cvedetails.com/cve/CVE-2026-42530/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-42055

  • https://www.cvedetails.com/cve/CVE-2026-42055/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-42945

  • https://www.cvedetails.com/cve/CVE-2026-42945/


    • Published: Thu Jun 18 13:47:21 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us