F5 released emergency patches on June 18, 2026 for two critical remote code execution vulnerabilities in NGINX Open Source and NGINX Plus. Both carry a CVSS v4 score of 9.2 (Critical) and can be triggered by an unauthenticated remote attacker with no prior access to the system. The first flaw exploits a use-after-free bug in NGINX's HTTP/3 QUIC module (CVE-2026-42530); the second is a heap buffer overflow in the HTTP/2 reverse-proxy modules (CVE-2026-42055).
Neither is confirmed as exploited in the wild as of disclosure — but a previous critical NGINX flaw (CVE-2026-42945, NGINX Rift) was exploited within days of its May 2026 disclosure. Given NGINX's dominant position as one of the world's most widely deployed web servers, patching is urgent. Treat this as a high-urgency patch with a 24–72 hour remediation window.
Affected Software and Versions
CVE-2026-42530 — Use-After-Free in HTTP/3 QUIC Module (CVSS 9.2)
| Component | Affected Versions | Fixed Version |
|---|---|---|
| NGINX Open Source | 1.31.0 – 1.31.1 | 1.31.2 |
| NGINX Gateway Fabric | 2.0.0 – 2.6.3 | 2.6.4 |
| NGINX Gateway Fabric | 1.3.0 – 1.6.2 | No fix yet |
| NGINX Instance Manager | 2.17.0 – 2.22.0 | Patch pending |
| NGINX Ingress Controller | 3.5.0 – 5.5.0 | Patch pending |
CVE-2026-42055 — Heap Buffer Overflow in HTTP/2 Proxy Modules (CVSS 9.2)
| Component | Affected Versions | Fixed Version |
|---|---|---|
| NGINX Plus | 37.0.0 – 37.0.1 | 37.0.2.1 |
| NGINX Plus | R33 – R36 | R36 P6 |
| NGINX Open Source | 1.31.1 | 1.31.2 |
| NGINX Open Source | 1.30.0 – 1.30.2 | 1.30.3 |
| F5 WAF for NGINX | 5.9.0 – 5.13.1 | Patch pending |
| NGINX App Protect WAF | 4.10.0 – 5.8.0 | Patch pending |
| NGINX Gateway Fabric | 2.0.0 – 2.6.3 | 2.6.4 |
| NGINX Ingress Controller | 3.5.0 – 5.5.0 | Patch pending |
CVE-2026-42530: Use-After-Free in the HTTP/3 QUIC Module
NGINX's HTTP/3 implementation uses QPACK for header compression. When the module handles a reopened QPACK encoder stream within an existing HTTP/3 session, it frees the memory associated with the old encoder stream object but fails to null out the pointer referencing it. This dangling pointer is a use-after-free (UAF) condition.
By crafting a special HTTP/3 session that triggers this sequence, an unauthenticated remote attacker can:
- Free a target memory object while retaining a live pointer to the freed region.
- Use subsequent allocations (heap grooming) to place attacker-controlled data at the freed address.
- When the stale pointer is dereferenced, the controlled data is interpreted as a legitimate object — enabling arbitrary code execution.
On systems with ASLR enabled, the attacker must first defeat address randomization to achieve reliable exploitation. On systems with ASLR disabled, exploitation is significantly simpler.
Important: HTTP/3 is not enabled by default in most NGINX builds. Sites that have not configured listen ... quic; are not exposed to this specific flaw.
CVE-2026-42055: Heap Buffer Overflow in HTTP/2 Proxy Modules
This vulnerability lives in ngx_http_proxy_v2_module and ngx_http_grpc_module — the modules responsible for proxying HTTP/2 or gRPC traffic to upstream backends. A heap-based buffer overflow occurs when all three of the following non-default configuration conditions are present simultaneously:
proxy_http_version 2;orgrpc_passis configured.ignore_invalid_headersis set tooff(default ison).large_client_header_bufferssize exceeds 2 MB.
Under these conditions, a crafted HTTP/2 request with oversized or malformed headers can write beyond the bounds of a heap buffer. Complex reverse-proxy deployments, Kubernetes ingress controllers, and gRPC-heavy API gateways are the most likely environments to have all three conditions simultaneously present.
Active Exploitation Status
No confirmed wild exploitation as of June 18, 2026. However, CVE-2026-42945 (NGINX Rift, same CVSS score, same product family) went from patch to active exploitation in under one week in May 2026. F5/NGINX products are high-value targets routinely targeted by nation-state and ransomware groups. Proof-of-concept research is likely already underway in the security community.
NGINX powers an estimated 30%+ of global web traffic. Organizations running NGINX as a public-facing reverse proxy, API gateway, or Kubernetes ingress are the primary risk group.
Remediation
Patch
# Ubuntu/Debian
sudo apt-get update && sudo apt-get install --only-upgrade nginx
nginx -v # Should show 1.31.2 or 1.30.3
# RHEL/CentOS/Rocky
sudo yum update nginx
nginx -vNGINX Plus customers: Apply R36 P6 or upgrade Plus to 37.0.2.1 via the F5 customer portal.
Mitigations if Patching Is Not Immediately Possible
For CVE-2026-42530 (HTTP/3): Disable HTTP/3 in nginx.conf:
# Remove quic listener and add standard TLS only:
listen 443 ssl;
# http2 on; # Keep if needed; remove quicFor CVE-2026-42055 (HTTP/2 Proxy): Remove ignore_invalid_headers off; from your config, or reduce large_client_header_buffers below 2 MB:
large_client_header_buffers 4 16k; # well below 2MB thresholdRestart NGINX after any configuration change: sudo systemctl reload nginx
