F5 Patches Critical NGINX RCE Flaws, Urges Immediate Updates

On June 17, 2026, F5 released out-of-band security updates for two critical remote code execution (RCE) and denial-of-service (DoS) vulnerabilities, CVE-2026-42530 and [CVE-2026-42055], impacting NGINX Open Source and related products. Both flaws carry a CVSS v4 score of 9.2, indicating severe risk, especially given the recent, rapid weaponization of a similar NGINX heap buffer overflow, [CVE-2026-42945], within three days of its disclosure in May 2026. This accelerated timeline for NGINX exploitation means teams running vulnerable configurations need to patch or mitigate immediately.

What Happened

On June 17, 2026, F5 pushed out urgent, unscheduled security updates to address two critical flaws in NGINX Open Source and various F5 NGINX products. These vulnerabilities, CVE-2026-42530 and CVE-2026-42055, are both rated with a CVSS v4 score of 9.2, confirming their critical severity. They primarily allow for remote code execution or, failing that, can trigger denial-of-service conditions, crashing NGINX worker processes.

Exploitation is possible by unauthenticated remote attackers, but crucially, it relies on specific, non-default NGINX configurations. F5 has not reported any evidence of active exploitation in the wild for these specific vulnerabilities as of publication. However, the rapid weaponization of CVE-2026-42945 (dubbed "NGINX Rift") just weeks prior offers a specific lesson. That critical NGINX heap buffer overflow, also with a CVSS 9.2, was actively exploited within 72 hours of its public disclosure in May 2026, as reported by Hackmageddon. This precedent shows the extreme urgency of patching these new flaws.

Why It Matters

NGINX is a foundational component for countless internet-facing web servers and reverse proxies, meaning a successful exploit can provide unauthenticated remote attackers with a foothold into critical infrastructure. Even though these vulnerabilities require specific non-default configurations, the sheer volume and diversity of NGINX deployments make it highly probable that many production environments are running vulnerable setups. A CVSS 9.2 RCE means full system compromise, and even a DoS condition can devastate availability for critical services.

The rapid weaponization of CVE-2026-42945 in May 2026 illustrates the real-world impact and accelerated timelines for NGINX vulnerabilities. Threat actors like those exploiting "NGINX Rift" are analyzing advisories and developing exploits at an unprecedented pace. Matan Shavit of Hadrian specifically commented on this trend, stating that vendors and organizations need to adapt to faster exploitation windows, as reported by Hackmageddon. The high-profile nature of NGINX and its critical role in internet infrastructure means these flaws will be intensely scrutinized for exploitability by both security researchers and malicious actors.

Affected Scope & Remediation

The impact of these new NGINX vulnerabilities, CVE-2026-42530 and CVE-2026-42055, spans several F5 NGINX products. Organizations must audit their NGINX configurations and immediately apply the relevant patches. The range of affected versions highlights the broad exposure across different product lines and release cycles.

F5 also patched two high-severity vulnerabilities (CVE-2026-11311 and CVE-2026-50107) in NGINX Gateway Fabric, which allowed authenticated attackers to inject arbitrary NGINX configuration directives, as reported by BleepingComputer. While not as critical as the RCEs, these reinforce the need for thorough patching.

Here's a breakdown of affected and fixed versions for the critical RCE/DoS flaws:

Patch links for reference:

• NVD Entry for CVE-2026-42530
• NVD Entry for CVE-2026-42055
• F5 Security Advisories (refer to F5.com for official advisories)
• BleepingComputer coverage: F5 patches critical NGINX RCE flaws, urges immediate updates

There are no CISA KEV entries for these specific NGINX vulnerabilities as of June 17, 2026.

Immediate Mitigations (if patching isn't possible):

• For CVE-2026-42530: Disable HTTP/3 support by removing the quic parameter from all listen directives in your NGINX configuration.
• For CVE-2026-42055: Remove the ignore_invalid_headers off directive from your NGINX configuration. Also, reduce the large_client_header_buffers directive size to below 2 megabytes.

These workarounds should only be temporary; full patching is the definitive solution. For monitoring, deploy endpoint detection and response (EDR) tools like CrowdStrike Falcon or SentinelOne on NGINX host systems to detect any post-exploitation activity, as RCE could lead to payload drops or lateral movement attempts.

Technical Breakdown

CVE-2026-42530 is a critical use-after-free (CWE-416) vulnerability within the ngx_http_v3_module of NGINX Open Source. This flaw manifests when NGINX is configured to use the HTTP/3 QUIC module and exposes an attacker-accessible UDP listener. An unauthenticated remote attacker can trigger the vulnerability by sending a specially crafted HTTP/3 session that reopens a QPACK encoder stream. This manipulation causes a memory-lifetime error, leading to the NGINX worker process crashing and restarting (DoS). If Address Space Layout Randomization (ASLR) is disabled or successfully bypassed, arbitrary code execution becomes possible.

Think of it like this: you return a book to the library, and the librarian immediately checks it back in and gives it to someone else. But you still have the old library card for that book, and you try to use it again. The system gets confused, potentially leading to a crash or, in a worse scenario, allowing you to access or manipulate data that's now tied to the new borrower, even though you shouldn't have any rights to it. That's a use-after-free: using memory after it's been deallocated and potentially re-assigned.

CVE-2026-42055 is a critical heap-based buffer overflow (CWE-122) affecting the ngx_http_proxy_v2_module and ngx_http_grpc_module in NGINX Open Source and NGINX Plus. This vulnerability is conditional, requiring specific non-default configurations: either proxy_http_version set to 2 or grpc_pass directives for HTTP/2 traffic, coupled with ignore_invalid_headers set to off, and a large_client_header_buffers directive size larger than 2 megabytes. An unauthenticated remote attacker can exploit this by sending large, specially crafted headers. This input overflow causes a buffer to write beyond its allocated memory boundary on the heap, corrupting adjacent memory. Like CVE-2026-42530, this typically leads to a worker process restart (DoS), but can enable arbitrary code execution if ASLR is disabled or bypassed.

For both vulnerabilities, successful exploitation maps directly to T1190 Exploit Public-Facing Application in the MITRE ATT&CK framework, as they target services directly exposed to the internet. This technique involves an adversary leveraging a vulnerability in an internet-facing application, service, or device to gain initial access. Mitigating these flaws aligns with the NIST SP 800-53 control SI-2 Flaw Remediation, which emphasizes identifying, evaluating, and remediating software flaws in a timely manner. This includes applying patches and implementing workarounds.

Historical Context

The most relevant historical context for these NGINX vulnerabilities is the recently dubbed "NGINX Rift" flaw, CVE-2026-42945. Disclosed in May 2026, this was a critical heap buffer overflow (CVSS 9.2) in NGINX, strikingly similar in severity and impact to the current two RCE flaws. The key takeaway from CVE-2026-42945 was the lightning-fast exploitation: threat actors were observed actively leveraging the bug in the wild within approximately three days of its public disclosure, as confirmed by Hackmageddon.

This incident highlighted a critical shift: the window between public disclosure and active exploitation for high-impact vulnerabilities, especially in widely deployed infrastructure like NGINX, has shrunk dramatically. While the specific attack vectors for CVE-2026-42530 (HTTP/3 QPACK stream) and CVE-2026-42055 (HTTP/2 proxy/gRPC headers) differ from "NGINX Rift," the underlying risk profile – an unauthenticated remote attacker gaining RCE or DoS in a critical web server – is virtually identical. This rapid exploitation trend means organizations can no longer afford to delay patching or mitigation for even a few days.

Data at a Glance

The CVEDaily Take

These NGINX RCEs are a sharp reminder that relying on non-default configurations as a primary security barrier for critical internet-facing services is insufficient; assume the configuration exists somewhere in your environment. Patch it now. We think it's problematic that F5 isn't reporting any active exploitation for these specific CVEs, given the history of CVE-2026-42945 being exploited within 72 hours. This discrepancy could lead to a false sense of security. Has your team performed a full audit of all NGINX listen directives for quic or proxy_http_version settings since this advisory dropped?

FAQ

Q1: What specific NGINX modules are impacted by these critical vulnerabilities?
A1: CVE-2026-42530 affects the ngx_http_v3_module, which handles HTTP/3 (QUIC) traffic. CVE-2026-42055 impacts the ngx_http_proxy_v2_module and ngx_http_grpc_module, both involved in proxying HTTP/2 and gRPC traffic.

Q2: Are there immediate mitigations for these NGINX vulnerabilities if patching isn't feasible right away?
A2: Yes, temporary mitigations exist. For CVE-2026-42530, disable HTTP/3 by removing the quic parameter from all NGINX listen directives. For CVE-2026-42055, remove the ignore_invalid_headers off directive and ensure your large_client_header_buffers directive is set below 2 megabytes.

Q3: Has F5 observed active exploitation of CVE-2026-42530 or CVE-2026-42055 in the wild?
A3: F5 has not reported any evidence of active exploitation for these specific NGINX vulnerabilities as of June 17, 2026. However, the rapid exploitation of the similar CVE-2026-42945 ("NGINX Rift") just prior indicates that this status could change quickly, warranting immediate action.