F5 Patches Two Critical NGINX Flaws in HTTP/3 and HTTP/2 Modules (CVE-2026-42530, CVE-2026-42055)

F5 has issued out-of-band patches for two serious flaws in its NGINX web server. The critical NGINX vulnerabilities both carry a CVSS v4.0 score of 9.2. Moreover, a remote, unauthenticated attacker can trigger each one. F5 released the fixes outside its usual cycle. According to the advisories, both bugs sit in the data plane, with “no control plane exposure.”

Why It Matters

NGINX powers a huge share of the world’s websites and proxies. So any unauthenticated flaw draws immediate attention. These NGINX vulnerabilities reach modern protocol features that many sites now enable. As a result, exposure could be broader than it first appears.

CVE-2026-42530: An HTTP/3 Use-After-Free

The first issue lives in the ngx_http_v3_module. It only affects servers configured to use the HTTP/3 QUIC module. There, a crafted HTTP/3 session can reopen a QPACK encoder stream. F5 classifies the bug as CWE-416, a use-after-free. As the advisory explains, this “may cause a Use-After-Free in the NGINX worker process, leading to a restart.”

That restart spells denial of service. However, the danger can climb higher. On systems where ASLR is disabled or bypassed, attackers may run code. NGINX Open Source 1.31.0 and 1.31.1 are affected, with a fix in 1.31.2.

CVE-2026-42055: A Conditional HTTP/2 Overflow

The second of these NGINX vulnerabilities hits the proxy and gRPC modules. F5 tags it CWE-122, a heap-based buffer overflow tied to HTTP/2 upstream traffic. Importantly, it only triggers under a non-default setup.

Three conditions must all line up. A location block must use grpc_pass or proxy_http_version 2. The ignore_invalid_headers directive must be off. Finally, large_client_header_buffers must exceed two megabytes. As F5 stresses, “deployments using the default NGINX configuration are not exposed to this vulnerability.” F5 fixed it in NGINX Open Source 1.30.3 and 1.31.2, plus NGINX Plus R36 P6 and 37.0.2.1.

Impact and Mitigation

In both cases, the headline risk is service disruption, not guaranteed code execution. There is no sign of active exploitation so far. Still, the wide product spread raises the stakes. NGINX Plus, Open Source, Gateway Fabric, Ingress Controller, and several WAF products all appear on the list. Some branches, including Instance Manager and Ingress Controller, still await fixes.

So defenders should act fast. First, upgrade to a fixed build wherever one exists. If you cannot patch the HTTP/3 flaw immediately, disable HTTP/3 by removing quic from listen directives. For the HTTP/2 bug, simply restoring default header settings closes the door. Above all, audit your NGINX configuration for these risky options now. Treat both as urgent despite the configuration caveats.