\n<\/p>\n
F5 has launched an out-of-band safety notification addressing a number of excessive\u2011severity vulnerabilities in NGINX<\/a> elements that may allow distant code execution (RCE) and denial\u2011of\u2011service (DoS) assaults in sure configurations, urging clients to patch or improve affected deployments instantly.<\/p>\n On June 17, 2026, F5 issued an out-of-band safety notification (K000161614) <\/a>summarizing a number of high- and medium-severity flaws throughout NGINX Open Supply, NGINX Plus, NGINX Occasion Supervisor, NGINX Gateway Material, NGINX Ingress Controller, and related App Shield WAF\/DoS modules. <\/p>\n The advisory, up to date on June 18, 2026, highlights the elevated threat to HTTP\/2, HTTP\/3, and gRPC visitors dealing with paths and supplies clients with a consolidated view of impacted merchandise, variations, and stuck releases. <\/p>\n This notification dietary supplements F5\u2019s common Quarterly Safety Notifications and is being echoed by nationwide CERTs, underscoring its urgency.<\/p>\n Essentially the most outstanding concern, tracked as CVE-2026-42530 and detailed in F5 article K000161616, impacts the NGINX ngx_http_v3_module when NGINX is configured to make use of the HTTP\/3 QUIC module. <\/p>\n A distant, unauthenticated attacker can ship specifically crafted HTTP\/3 visitors to reopen a QPACK encoder stream, triggering a use-after-free within the NGINX employee course of that may repeatedly crash staff, inflicting DoS<\/a>, and probably permitting code execution on techniques the place ASLR is disabled or might be bypassed. <\/p>\n F5 assigns this bug a CVSS v3.1 base rating of 8.1 and a CVSS v4.0 base rating of 9.2, reflecting its high-to-critical affect profile on trendy deployments.<\/p>\n A second high-severity concern, CVE-2026-42055 (K000161584), targets NGINX Plus and NGINX Open Supply when utilizing the ngx_http_proxy_v2_module or gRPC module with HTTP\/2 backends. <\/p>\n When proxy_http_version is about to 2 or gRPC upstreams are enabled, malformed or malicious HTTP\/2 or gRPC streams can result in memory-handling flaws which will manifest as crashes and probably code execution, relying on the atmosphere\u2019s hardening. <\/p>\n This flaw can also be rated at 8.1 (CVSS v3.1) and 9.2 (CVSS v4.0), aligning it with the HTTP\/3 vulnerability when it comes to severity from F5\u2019s perspective.<\/p>\n F5 moreover discloses a number of high-severity vulnerabilities in NGINX Gateway Material, together with CVE-2026-11311 and CVE-2026-50107, described in K000161611 and K000161785, respectively. <\/p>\n These points have an effect on numerous 2.x Gateway Material releases. They may end up in routing instability, service disruptions, or different impacts on integrity and availability inside service-mesh and gateway deployments. F5 introduces fixes in Gateway Material 2.6.4, which is now the beneficial goal model for affected clients.<\/p>\n Excessive CVE Matrix<\/strong><\/p>\n Beneath is a consolidated desk of the excessive\u2011severity CVEs and their core technical metadata as offered by F5, specializing in CVSS scores, affected merchandise, variations, and fixes.<\/p>\nVital NGINX HTTP\/3 v3 Module Flaw (CVE-2026-42530)<\/strong><\/h2>\n