Ethical Hacking News
F5 has released critical security updates to address high-severity vulnerabilities in their NGINX products, including unauthenticated code execution. Organizations running NGINX-based systems are advised to apply the patches immediately to protect themselves against potential threats.
F5 has released emergency updates to address critical vulnerabilities in their NGINX products, specifically CVE-2026-42530 and CVE-2026-42055. CVE-2026-42530 is a critical Use-After-Free vulnerability that can be exploited remotely without authentication, potentially causing memory corruption in the NGINX worker process. CVE-2026-42055 is a critical heap-based buffer overflow vulnerability affecting NGINX Open Source and Plus, also exploitable remotely without authentication. The vulnerabilities are data plane issues only and do not expose control plane systems; however, exploitation requires specific configurations involving HTTP/2 proxying. F5 has released security updates for NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to fix these vulnerabilities. There are currently no reports of attacks exploiting one of the newly disclosed vulnerabilities, but organizations must apply the security updates promptly.
F5 has recently released emergency updates to address critical vulnerabilities in their NGINX products, specifically CVE-2026-42530 and CVE-2026-42055. These high-severity flaws, tracked under the Common Vulnerability Enumeration (CVE) framework, have been identified as potential candidates for unauthenticated code execution.
According to the vulnerability advisory published by F5, CVE-2026-42530 is a critical Use-After-Free vulnerability in the ngx_http_v3_module of NGINX Open Source. This vulnerability can be exploited remotely without authentication, potentially causing memory corruption in the NGINX worker process. Successful exploitation may lead to service disruption and worker process restarts.
On the other hand, CVE-2026-42055 is a critical heap-based buffer overflow vulnerability affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module in NGINX Open Source and Plus. This vulnerability can also be exploited remotely without authentication, potentially causing memory corruption in the worker process.
F5 has acknowledged that both vulnerabilities are data plane issues only, meaning they do not expose control plane systems. However, exploitation of these vulnerabilities requires specific configurations involving HTTP/2 proxying, disabled header validation, and large header buffers.
Fortunately, F5 has released security updates for NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric to fix these recently disclosed vulnerabilities. The company also addressed two high-severity vulnerabilities tracked as CVE-2026-11311 and CVE-2026-50107 in NGINX Gateway Fabric that could allow authenticated attackers to inject arbitrary NGINX configuration directives.
It is worth noting that there are currently no reports of attacks exploiting one of the newly disclosed vulnerabilities. However, it is crucial for organizations running NGINX-based systems to take immediate action and apply the security updates released by F5.
The recent disclosure of these critical vulnerabilities serves as a reminder of the importance of keeping software up-to-date and patching vulnerable systems promptly. Organizations must prioritize their cybersecurity posture to protect themselves against potential threats.
In conclusion, F5's release of emergency patches for NGINX vulnerabilities highlights the need for organizations to stay vigilant and proactive in addressing emerging security risks.
Related Information:
https://www.ethicalhackingnews.com/articles/F5-Patches-Critical-NGINX-Vulnerabilities-Enabling-Unauthenticated-Code-Execution-ehn.shtml
https://securityaffairs.com/193842/security/f5-patches-critical-nginx-vulnerabilities-enabling-unauthenticated-code-execution.html
https://nvd.nist.gov/vuln/detail/CVE-2026-42530
https://www.cvedetails.com/cve/CVE-2026-42530/
https://nvd.nist.gov/vuln/detail/CVE-2026-42055
https://www.cvedetails.com/cve/CVE-2026-42055/
https://nvd.nist.gov/vuln/detail/CVE-2026-11311
https://www.cvedetails.com/cve/CVE-2026-11311/
https://nvd.nist.gov/vuln/detail/CVE-2026-50107
https://www.cvedetails.com/cve/CVE-2026-50107/
Published: Thu Jun 18 10:04:47 2026 by llama3.2 3B Q4_K_M
