F5 has launched an out-of-band safety notification addressing a number of excessive‑severity vulnerabilities in NGINX elements that may allow distant code execution (RCE) and denial‑of‑service (DoS) assaults in sure configurations, urging clients to patch or improve affected deployments instantly.
On June 17, 2026, F5 issued an out-of-band safety notification (K000161614) summarizing a number of high- and medium-severity flaws throughout NGINX Open Supply, NGINX Plus, NGINX Occasion Supervisor, NGINX Gateway Material, NGINX Ingress Controller, and related App Shield WAF/DoS modules.
The advisory, up to date on June 18, 2026, highlights the elevated threat to HTTP/2, HTTP/3, and gRPC visitors dealing with paths and supplies clients with a consolidated view of impacted merchandise, variations, and stuck releases.
This notification dietary supplements F5’s common Quarterly Safety Notifications and is being echoed by nationwide CERTs, underscoring its urgency.
Vital NGINX HTTP/3 v3 Module Flaw (CVE-2026-42530)
Essentially the most outstanding concern, tracked as CVE-2026-42530 and detailed in F5 article K000161616, impacts the NGINX ngx_http_v3_module when NGINX is configured to make use of the HTTP/3 QUIC module.
A distant, unauthenticated attacker can ship specifically crafted HTTP/3 visitors to reopen a QPACK encoder stream, triggering a use-after-free within the NGINX employee course of that may repeatedly crash staff, inflicting DoS, and probably permitting code execution on techniques the place ASLR is disabled or might be bypassed.
F5 assigns this bug a CVSS v3.1 base rating of 8.1 and a CVSS v4.0 base rating of 9.2, reflecting its high-to-critical affect profile on trendy deployments.
A second high-severity concern, CVE-2026-42055 (K000161584), targets NGINX Plus and NGINX Open Supply when utilizing the ngx_http_proxy_v2_module or gRPC module with HTTP/2 backends.
When proxy_http_version is about to 2 or gRPC upstreams are enabled, malformed or malicious HTTP/2 or gRPC streams can result in memory-handling flaws which will manifest as crashes and probably code execution, relying on the atmosphere’s hardening.
This flaw can also be rated at 8.1 (CVSS v3.1) and 9.2 (CVSS v4.0), aligning it with the HTTP/3 vulnerability when it comes to severity from F5’s perspective.
F5 moreover discloses a number of high-severity vulnerabilities in NGINX Gateway Material, together with CVE-2026-11311 and CVE-2026-50107, described in K000161611 and K000161785, respectively.
These points have an effect on numerous 2.x Gateway Material releases. They may end up in routing instability, service disruptions, or different impacts on integrity and availability inside service-mesh and gateway deployments. F5 introduces fixes in Gateway Material 2.6.4, which is now the beneficial goal model for affected clients.
Excessive CVE Matrix
Beneath is a consolidated desk of the excessive‑severity CVEs and their core technical metadata as offered by F5, specializing in CVSS scores, affected merchandise, variations, and fixes.
F5 strongly recommends upgrading NGINX Open Supply to 1.31.2, NGINX Plus to 37.0.2.1 or R36 P6, NGINX Gateway Material to 2.6.4, and aligning Ingress Controller and App Shield elements with forthcoming patched releases as they turn into out there.
Organizations unable to patch instantly ought to take into account turning off HTTP/3 and QUIC help, proscribing HTTP/2 and gRPC publicity, implementing strict entry controls, and hardening ASLR and different exploitation mitigations as interim measures.
Directors are additional suggested to watch F5’s quarterly safety notifications and vendor RSS/e-mail channels to trace future updates and any modifications in exploitation standing.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most well-liked Supply in Google.
