F 5 has issued urgent patches for two critical vulnerabilities in NGINX: CVE-2026-42530 and CVE-2026-42055. CVE-2026-42530, categorized as a major-severity use-after-free vulnerability in NGINX's HTTP/3 implementation, affects versions 1.31.0 to 1.31.1, allowing remote attackers to restart processes and potentially execute code. CVE-2026-42055 is a medium-severity heap-based buffer overflow affecting HTTP/2 and gRPC proxying, impacting versions 1.13.10 to 1.31.1.
Security risks include Denial-of-Service (DoS) and Remote Code Execution (RCE). Organizations should upgrade to NGINX 1.31.2 or 1.30.3, limit exposure, and monitor for unusual activities related to these vulnerabilities. At present, there are no confirmed reports of in-the-wild exploitation.