F5 has issued emergency updates for NGINX after researchers uncovered two critical flaws that allow unauthenticated attackers to execute code on affected systems. The flaws, tracked as CVE-2026-42530 and CVE-2026-42055, both carry a CVSS score of 9.2 and can be triggered without any authentication. Details were released in F5's advisory and were also covered by SecurityAffairs.
The first vulnerability, CVE-2026-42530, resides in the ngx_http_v3_module and is a Use-After-Free condition that can be exploited by sending specially crafted HTTP/3 requests. An attacker who can inject malicious packets into an HTTP/3 session may gain the ability to run arbitrary code with the privileges of the NGINX worker process. The issue is rated at CVSS 9.2 due to its potential for remote code execution and the lack of authentication required.
The second flaw, CVE-2026-42055, is a heap-based buffer overflow present in the ngx_http_proxy_v2_module and ngx_http_grpc_module. It can be triggered when NGINX is configured to accept unusually large header fields, a setting that is not enabled by default. Successful exploitation may lead to denial of service or the execution of arbitrary code, earning it a CVSS 9.2 rating. F5 also addressed CVE-2026-11311 and CVE-2026-50107 in NGINX Gateway Fabric, which could allow authenticated users to alter configurations.
F5 notes that default installations of NGINX are not affected by either of the two critical bugs, as the vulnerable code paths require non-default settings such as enabled HTTP/3 or custom header limits. To date there have been no public reports of exploitation in the wild, but the ease of crafting malicious HTTP/3 packets means that Internet-facing devices remain a tempting target for opportunistic actors.
Administrators should prioritize applying the updated NGINX packages supplied by F5, which contain patches for all four CVEs. While doing so, it is prudent to review whether HTTP/3 is truly needed; if not, disabling the ngx_http_v3_module can remove the attack surface for CVE-2026-42530. Similarly, checking proxy and gRPC configuration for oversized header allowances will mitigate the risk posed by CVE-2026-42055. Monitoring access logs for abnormally large headers or unexpected worker process restarts can help detect attempted exploitation.
Finally, organisations should subscribe to F5's security mailing list to receive timely notices about future updates and test any patches in an isolated staging environment before rolling them out to production. Limiting direct Internet access to the NGINX management interface and enforcing strict network segmentation will also reduce the chance that an attacker can leverage these flaws even if a system remains unpatched for a short window.