Information Security News

F5 Patches Critical NGINX Vulnerabilities in Out-of-Band Update

by · Published · Updated

F5 NGINX vulnerabilities advisory covering critical HTTP/3 and HTTP/2 flaws in ngx_http_v3_module and Gateway Fabric

F5 has issued an unscheduled security advisory for several products tied to NGINX and BIG-IP. The company detailed six NGINX vulnerabilities in total. Some earned a high severity rating, and F5 has already fixed them in new releases. So administrators should review their versions without delay.

The Two Critical Flaws

CVE-2026-42530: HTTP/3 Use-After-Free

The most serious bug sits in the ngx_http_v3_module of NGINX Open Source. F5 tracks it as CVE-2026-42530, with a CVSS 4.0 score of 9.2 Critical. The flaw affects NGINX Open Source 1.31.0 and 1.31.1. However, version 1.31.2 closes the hole. It also reaches NGINX Instance Manager, NGINX Gateway Fabric, and NGINX Ingress Controller. When HTTP/3 over QUIC is enabled, a remote attacker can strike without any credentials.

CVE-2026-42055: HTTP/2 and gRPC Overflow

The second critical bug carries the same 9.2 score. F5 tracks it as CVE-2026-42055, and it lives in the ngx_http_proxy_v2_module and ngx_http_grpc_module. This one touches a wide range of products. The affected list includes NGINX Plus, NGINX Open Source, NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX App Protect DoS, NGINX Gateway Fabric, and NGINX Ingress Controller. F5 fixed it in NGINX Open Source 1.31.2 and 1.30.3. For NGINX Plus, the fixes landed in 37.0.2.1 and R36 P6.

High-Severity Gateway Fabric Issues

F5 also flagged two more bugs in NGINX Gateway Fabric. Both scored 8.6 on the High scale. CVE-2026-11311 affects versions 2.5.0 through 2.6.3. Meanwhile, CVE-2026-50107 affects versions 2.3.0 through 2.6.3. The company closed both issues in NGINX Gateway Fabric 2.6.4.

The Remaining Two Vulnerabilities

Two further bugs complete the advisory. CVE-2026-48142 scored 6.3 Medium, and it involves the ngx_http_charset_module. This flaw reaches NGINX Plus, NGINX Open Source, NGINX Instance Manager, the NGINX protection products, NGINX Gateway Fabric, and NGINX Ingress Controller.

Separately, CVE-2026-32682 scored 7.1 High. It affects NGINX Gateway Fabric versions 1.3.0 through 1.6.2 and 2.0.0 through 2.6.3. Version 2.6.4 fixes this issue as well.

What Administrators Should Do

F5 checked only product versions still under technical support. So the advisory may not cover end-of-life releases. Administrators should compare their running versions against the published list. Then they should install every available update. This step matters most for systems on the external perimeter. It also matters for any NGINX component that serves critical services.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply