F 5 has released urgent updates to address critical vulnerabilities in NGINX, specifically CVE-2026-42530 and CVE-2026-42055, both rated at CVSS 9.2. The first vulnerability allows unauthenticated code execution through a Use-After-Free condition in the ngx_http_v3_module, exploitable via specially crafted HTTP/3 sessions.
The second vulnerability is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module, which can be exploited by sending oversized headers in non-default configurations. Both vulnerabilities pose risks of denial-of-service (DoS) and potential code execution; however, default installations are not affected. F5 also addressed two other high-severity vulnerabilities in NGINX Gateway Fabric but reports no known exploitation of the identified issues.