CVE-2026-42530 / CVE-2026-42055 — NGINX: HTTP/3 QUIC use-after-free and HTTP/2-proxy heap overflow, out-of-band F5 patches
From CTI Daily Brief — 2026-06-19 · published 2026-06-19 · view item permalink →
F5 shipped out-of-band patches on 2026-06-17 for two critical NGINX flaws (NGINX, 2026-06-17; SecurityWeek, 2026-06-18). CVE-2026-42530 (use-after-free, CWE-416, CVSS v4 9.2): a remote unauthenticated attacker sends a crafted HTTP/3 session that reopens a QPACK encoder stream in ngx_http_v3_module, corrupting worker-process memory — a crash by default, code execution where ASLR is disabled or bypassed; affects Open Source 1.31.0–1.31.1. CVE-2026-42055 (heap-based buffer overflow, CWE-122, CVSS v4 9.2): in ngx_http_proxy_v2_module/ngx_http_grpc_module, but only under a non-default configuration triple — proxy_http_version 2 or grpc_pass, ignore_invalid_headers off, and large_client_header_buffers above 2 MB. Fixed in Open Source 1.31.2 (and 1.30.3 stable), NGINX Plus R36 P6 / 37.0.2.1, and Gateway Fabric 2.6.4. Interim mitigation for CVE-2026-42530 is to remove quic from all listen directives (disabling HTTP/3); for CVE-2026-42055, keep ignore_invalid_headers at its default on. Note the scoring split: nginx.org's own advisory rates CVE-2026-42530 "major" and CVE-2026-42055 "medium" (reflecting the latter's non-default-config gating), while SecurityWeek scores both at CVSS v4 9.2; the brief carries the higher third-party score with the vendor's qualifier noted. F5 reports no in-the-wild exploitation.