F5 issues emergency NGINX security patches for critical RCE vulnerabilities
F5 has issued emergency patches for two critical vulnerabilities, CVE-2026-42530 and CVE-2026-42055, affecting NGINX Open Source and related products with a CVSS score of 9.2. The flaws target HTTP/3/QUIC implementations and HTTP/2 proxying/gRPC services, potentially allowing unauthenticated remote code execution. Streaming infrastructure operators utilizing NGINX as gateways, reverse proxies, or Kubernetes ingress controllers are urged to patch immediately.
Key Takeaways
- CVE-2026-42530 involves a use-after-free corruption in the HTTP/3 QUIC module triggered by malicious QPACK encoder stream manipulation.
- CVE-2026-42055 is a heap-based buffer overflow affecting HTTP/2 and gRPC proxy configurations with specific non-default header buffer settings.
- Vulnerable products include NGINX Open Source (1.31.0–1.31.1), NGINX Plus (R33–R36), and related Gateway Fabric and Ingress Controller versions.
- Immediate remediation is required for perimeter infrastructure where NGINX serves as an API gateway, load balancer, or Kubernetes ingress controller.
- Temporary mitigations include disabling HTTP/3 functionality or restricting the large_client_header_buffers directive to less than 2 MB.
Why It Matters
For streaming operators, NGINX is the bedrock of edge delivery and microservices traffic. These vulnerabilities expose the primary request-processing path to unauthenticated remote code execution, threatening the integrity of CDN ingress and content delivery nodes. The focus on HTTP/3 and gRPC reveals that the most advanced parts of the streaming tech stack—often prioritized for performance gains—present the highest current risk surface. Operators must track the release of updated container images for Kubernetes environments, as traditional OS patching may not cover abstracted NGINX instances used in cloud-native streaming deployments.
Additional Context
The speed of this emergency response follows the recent 'NGINX Rift' vulnerability (CVE-2026-42945) disclosed in May 2026. Per Help Net Security, May 2026, security researchers observed active exploitation attempts by threat actors just three days after the Rift disclosure. That earlier flaw, which had been present in the NGINX codebase since 2008, demonstrated that vulnerabilities in the core rewrite module could be weaponized to crash worker processes or achieve code execution through a single crafted HTTP request. F5's latest out-of-band updates also addressed side-car security risks in orchestration environments. Per SecurityWeek, June 2026, the vendor patched two additional high-severity flaws, CVE-2026-11311 and CVE-2026-50107, specifically affecting NGINX Gateway Fabric. These vulnerabilities could allow authenticated users to inject arbitrary configuration directives, potentially leading to data exposure from NGINX pod filesystems or traffic redirection to unauthorized endpoints. Together, these disclosures highlight an intensifying focus on memory safety and configuration integrity within the NGINX ecosystem, which remains the global leader in web server and reverse proxy market share.
Read full article at linkedin.com