F5 has released security updates for two critical vulnerabilities in NGINX Open Source that could allow remote unauthenticated attackers to execute code on affected systems.
The first flaw, CVE-2026-42530 (CVSS v4: 9.2), is a use-after-free in the ngx_http_v3_module. It can be triggered via a specially crafted HTTP/3 session when QUIC is enabled, allowing code execution on systems with ASLR disabled or bypassed. The second, CVE-2026-42055 (CVSS v4: 9.2), is a heap-based buffer overflow in the proxy_v2 and grpc modules that can be exploited when proxying HTTP/2 traffic with ignore_invalid_headers set to off and large_client_header_buffers above 2 MB.
Both vulnerabilities affect a wide range of F5 products including NGINX Open Source (versions 1.30.0-1.31.1), NGINX Plus, NGINX Gateway Fabric, NGINX Instance Manager, and NGINX Ingress Controller. F5 has published fixed versions for each product line.
As temporary mitigations, F5 recommends disabling HTTP/3 for CVE-2026-42530 and either removing the ignore_invalid_headers directive or reducing large_client_header_buffers below 2 MB for CVE-2026-42055. Although F5 says there’s no evidence of active exploitation, NGINX vulnerabilities have been repeatedly targeted — most recently CVE-2026-42945, which was exploited in the wild within days of disclosure.
