F5 has launched an out-of-band safety notification addressing a number of excessive‑severity vulnerabilities in NGINX elements that may allow distant code execution (RCE) and denial‑of‑service (DoS) assaults in sure configurations, urging clients to patch or improve affected deployments instantly.
On June 17, 2026, F5 issued an out-of-band safety notification (K000161614) summarizing a number of high- and medium-severity flaws throughout NGINX Open Supply, NGINX Plus, NGINX Occasion Supervisor, NGINX Gateway Material, NGINX Ingress Controller, and related App Shield WAF/DoS modules.
The advisory, up to date on June 18, 2026, highlights the elevated danger to HTTP/2, HTTP/3, and gRPC visitors dealing with paths and offers clients with a consolidated view of impacted merchandise, variations, and stuck releases.
This notification dietary supplements F5’s common Quarterly Safety Notifications and is being echoed by nationwide CERTs, underscoring its urgency.
Vital NGINX HTTP/3 v3 Module Flaw (CVE-2026-42530)
Probably the most outstanding problem, tracked as CVE-2026-42530 and detailed in F5 article K000161616, impacts the NGINX ngx_http_v3_module when NGINX is configured to make use of the HTTP/3 QUIC module.
A distant, unauthenticated attacker can ship specifically crafted HTTP/3 visitors to reopen a QPACK encoder stream, triggering a use-after-free within the NGINX employee course of that may repeatedly crash employees, inflicting DoS, and doubtlessly permitting code execution on techniques the place ASLR is disabled or could be bypassed.
F5 assigns this bug a CVSS v3.1 base rating of 8.1 and a CVSS v4.0 base rating of 9.2, reflecting its high-to-critical affect profile on fashionable deployments.
A second high-severity problem, CVE-2026-42055 (K000161584), targets NGINX Plus and NGINX Open Supply when utilizing the ngx_http_proxy_v2_module or gRPC module with HTTP/2 backends.
When proxy_http_version is about to 2 or gRPC upstreams are enabled, malformed or malicious HTTP/2 or gRPC streams can result in memory-handling flaws that will manifest as crashes and probably code execution, relying on the atmosphere’s hardening.
This flaw can be rated at 8.1 (CVSS v3.1) and 9.2 (CVSS v4.0), aligning it with the HTTP/3 vulnerability by way of severity from F5’s perspective.
F5 moreover discloses a number of high-severity vulnerabilities in NGINX Gateway Material, together with CVE-2026-11311 and CVE-2026-50107, described in K000161611 and K000161785, respectively.
These points have an effect on numerous 2.x Gateway Material releases. They can lead to routing instability, service disruptions, or different impacts on integrity and availability inside service-mesh and gateway deployments. F5 introduces fixes in Gateway Material 2.6.4, which is now the really helpful goal model for affected clients.
Excessive CVE Matrix
Beneath is a consolidated desk of the excessive‑severity CVEs and their core technical metadata as offered by F5, specializing in CVSS scores, affected merchandise, variations, and fixes.
F5 strongly recommends upgrading NGINX Open Supply to 1.31.2, NGINX Plus to 37.0.2.1 or R36 P6, NGINX Gateway Material to 2.6.4, and aligning Ingress Controller and App Shield elements with forthcoming patched releases as they turn out to be out there.
Organizations unable to patch instantly ought to contemplate turning off HTTP/3 and QUIC help, proscribing HTTP/2 and gRPC publicity, imposing strict entry controls, and hardening ASLR and different exploitation mitigations as interim measures.
Directors are additional suggested to watch F5’s quarterly safety notifications and vendor RSS/e mail channels to trace future updates and any adjustments in exploitation standing.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
