Barely a month after NGINX Rift dragged an eighteen-year-old heap overflow out of the rewrite engine, F5 is back with two more. On June 17 it published advisories for CVE-2026-42530 and CVE-2026-42055 — both CVSS v4 9.2, both reachable by a remote unauthenticated attacker, both landing in the parts of NGINX that speak the modern web. Where Rift lived in string-handling code written in the FreeBSD-mailing-list era, these two live in HTTP/3 and HTTP/2: the protocols you turned on because they were faster, newer, better. Last month’s lesson was that old code rots. This month’s is that the new code was never audited either.

Neither flaw is known to be exploited in the wild yet. Rift was, within days of its public PoC. Plan accordingly.

CVE-2026-42530 — use-after-free in the HTTP/3 stack

The first bug is a use-after-free in ngx_http_v3_module, the module that implements HTTP/3 over QUIC. A remote, unauthenticated attacker who can open an HTTP/3 session can craft one that reopens a QPACK encoder stream — QPACK being the HTTP/3 header-compression scheme — and drive NGINX into referencing memory it has already freed. On a deployment with ASLR disabled, or where the attacker can otherwise bypass it, that use-after-free becomes remote code execution in the NGINX worker. On a hardened default, the realistic outcome is a worker crash, and repeated requests give you a denial-of-service loop against your frontend.

The saving grace is reachability. HTTP/3 is opt-in. You only have ngx_http_v3_module in the request path if you explicitly configured a listen ... quic socket and turned http3 on. If you never enabled QUIC, CVE-2026-42530 does not apply to you. If you did — because HTTP/3 shaved latency off your edge — you are exposed pre-authentication on your public listener.

CVE-2026-42055 — heap overflow on the HTTP/2 proxy path

The second bug is the one infrastructure teams should read twice. It is a heap-based buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module — the code that proxies HTTP/2 and gRPC traffic to upstreams. It triggers when three conditions line up:

  • proxy_http_version 2 or a grpc_pass directive is used to proxy HTTP/2 traffic upstream,
  • ignore_invalid_headers is set to off, and
  • large_client_header_buffers is configured larger than 2 MB.

A remote unauthenticated attacker who hits such a server block can overflow the heap and, again, reach code execution where ASLR can be bypassed, or crash the worker where it cannot. The reason this matters more than the HTTP/3 bug is grpc_pass. Proxying gRPC through NGINX is not exotic — it is how a great many Kubernetes and microservice deployments route internal RPC and how API gateways front gRPC services. The two supporting conditions narrow the blast radius, but ignore_invalid_headers off and large header buffers are exactly the kind of settings people set once for a finicky upstream and forget.

Affected versions and fixes

CVE-2026-42530 (HTTP/3): NGINX Open Source 1.31.0–1.31.1 (fixed in 1.31.2); NGINX Instance Manager 2.17.0–2.22.0; NGINX Gateway Fabric 1.3.0–1.6.2 and 2.0.0–2.6.3 (fixed in 2.6.4); NGINX Ingress Controller 3.5.0–3.7.2, 4.0.0–4.0.1, and 5.0.0–5.5.0.

CVE-2026-42055 (HTTP/2 / gRPC): NGINX Open Source 1.30.0–1.30.2 (fixed in 1.30.3) and 1.31.1 (fixed in 1.31.2); NGINX Plus R33–R36 (fixed in R36 P6) and 37.0.0–37.0.1 (fixed in 37.0.2.1); F5 WAF for NGINX 5.9.0–5.13.1; NGINX App Protect WAF 4.10.0–4.16.0 and 5.2.0–5.8.0; F5 DoS for NGINX 4.9.0; NGINX App Protect DoS 4.3.0–4.7.0; NGINX Instance Manager 2.17.0–2.22.0; plus the same NGINX Gateway Fabric and Ingress Controller ranges as above.

If you pin to a distro package, check what your distribution actually shipped rather than trusting a version banner. Rebuild any container images off nginx:stable / nginx:mainline once the patched tags land.

Why this lands on Kubernetes teams

Both CVEs explicitly list NGINX Gateway Fabric and NGINX Ingress Controller — F5’s commercial Kubernetes data-plane products that terminate north-south traffic for clusters running them. (This is the F5 nginx-ingress controller and the Gateway-API implementation, distinct from the community ingress-nginx project.) If your cluster’s edge is NGINX Gateway Fabric or NGINX Ingress Controller and it terminates HTTP/3, or proxies gRPC to backends, the vulnerable module is sitting on your cluster’s front door, reachable by anything that can route a packet to it.

What to do right now

Patch. The fixed builds are above; the fastest path for most shops is updating the ingress or gateway image and rolling the deployment, or apt/dnf upgrade plus an nginx -s reload for host installs.

If you cannot patch immediately, F5’s per-CVE workarounds are config-only:

  • CVE-2026-42530: disable HTTP/3 — drop the quic listener and http3 on until you have upgraded.
  • CVE-2026-42055: remove the ignore_invalid_headers off directive from the configuration, or reduce large_client_header_buffers below 2 MB. Either change closes the trigger.

For detection, watch for worker process exited on signal 11 clusters in your NGINX error log correlated to HTTP/3 or gRPC traffic — worker segfaults are rare in steady state and are the loudest signal a crash-based probe will give you before someone refines it into an RCE.

What this changes

HTTP/1.1 was text you parsed. HTTP/2 and HTTP/3 are stateful, multiplexed, binary protocols you manage — QUIC streams, QPACK dynamic tables, flow-control windows, all tracked in C, all reachable before authentication. Two independent memory-corruption bugs in one advisory cycle, in two different new-protocol modules, is not a coincidence; it is the cost of the surface we adopted for speed. The migration to HTTP/3 and gRPC moved the frontend’s risk from mishandling strings to mismanaging binary stream state, and the audit attention has not caught up to the code. Rift took eighteen years to surface. These took a fraction of that. Expect more from the same neighborhood.

References

  • F5 advisory K000161616: CVE-2026-42530 (ngx_http_v3_module use-after-free)
  • F5 advisory K000161584: CVE-2026-42055 (ngx_http_proxy_v2_module / ngx_http_grpc_module heap buffer overflow)
  • The Hacker News, F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution (June 18, 2026)
  • SecurityWeek, F5 Patches Critical, High-Severity NGINX Vulnerabilities
  • BleepingComputer, F5 issues out-of-band patches for critical NGINX vulnerabilities