F5 released out-of-band patches on June 17, 2026 for two critical vulnerabilities in the NGINX open source codebase. Both flaws — CVE-2026-42530 and CVE-2026-42055, each rated CVSS v4.0 9.2 — allow unauthenticated remote code execution on systems with Address Space Layout Randomization (ASLR) disabled or bypassed. On systems with ASLR enabled, the impact is limited to denial of service via worker process restarts.
- CVE-2026-42530 (CVSS 9.2): use-after-free in the HTTP/3 QUIC module, triggered by a crafted session that reopens a closed QPACK encoder stream
- CVE-2026-42055 (CVSS 9.2): heap buffer overflow in HTTP/2 proxy/gRPC, requires three simultaneous non-default conditions
- Conditional RCE: both require ASLR disabled or bypassed; otherwise impact is limited to DoS
- Patched versions: NGINX Open Source 1.31.2 and 1.30.3, NGINX Plus 37.0.2.1, Gateway Fabric 2.6.4; Instance Manager, Ingress Controller, and App Protect still lack fixes
- CVE-2026-42945 (NGINX Rift), a prior critical vulnerability, was actively exploited within 3 days of disclosure
Key StatCVSS v4.0: 9.2 for both CVEs — the top of the scale, CRITICAL rating. CVSS v3.1: 8.1 (HIGH).
CVE-2026-42530 Mechanism: Use-After-Free in the QUIC Handshake
The vulnerability resides in the ngx_http_v3_module, which handles HTTP/3 over QUIC. According to the F5 advisory cited by SecurityAffairs, an unauthenticated remote attacker can use a specially crafted HTTP/3 session to reopen a previously closed QPACK encoder stream. This reopening triggers a use-after-free in the NGINX worker process.
The immediate impact is a worker process restart, resulting in denial of service. Escalation to code execution occurs on systems with ASLR disabled or bypassed. The F5 advisory does not specify ASLR bypass techniques nor identify deployment profiles at particular risk.
CVE-2026-42055: Heap Buffer Overflow with Non-Default Configurations
The second bug is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. Exploitation requires three simultaneous non-default configurations: proxy_http_version 2 or active grpc_pass, ignore_invalid_headers off, and large_client_header_buffers exceeding 2 MB.
According to BleepingComputer, the default NGINX configuration is not vulnerable. An explicit deviation from standard policy is required. Teams that have customized these parameters for application needs must verify their exposure.
The Role of ASLR: The Condition That Determines Impact
The F5 advisory specifies that RCE is conditional on systems "with ASLR disabled or when the attacker can bypass ASLR." TechTimes analyzed this aspect in the context of containerized and Kubernetes deployments, but does not assert that ASLR is systematically weak in those environments. The brief contains no data on the actual prevalence of disabled or bypassable ASLR in NGINX deployments.
The prior CVE-2026-42945 (NGINX Rift), disclosed in May 2026, was actively exploited within 3 days of publication. The brief does not confirm that such exploitation bypassed ASLR; it reports only the exploitation timeline. This precedent serves as historical context, not proof of techniques applicable to the June CVEs.
Attack Surface: Who Has Patches and Who Remains Exposed
F5 has published patches for core products: NGINX Open Source mainline 1.31.2 and stable 1.30.3, NGINX Plus 37.0.2.1, and NGINX Gateway Fabric 2.6.4. SecurityAffairs reports the explicit advisory statement: "There is no control plane exposure; this is a data plane issue only."
At least four products still lack fixes: NGINX Instance Manager (versions 2.17.0–2.22.0), NGINX Ingress Controller (5.0.0–5.5.0), NGINX App Protect WAF, and NGINX App Protect DoS. According to GBHackers, the fix column for these products reads "None (no fix yet)."
Immediate Actions
For CVE-2026-42530: remove "quic" from listen directives if HTTP/3 is not required, pending patching.
For CVE-2026-42055: check for ignore_invalid_headers off and evaluate removal; reduce large_client_header_buffers below 2 MB if possible without application impact.
Update to patched versions where available: NGINX Open Source 1.31.2 (mainline) or 1.30.3 (stable), NGINX Plus 37.0.2.1, Gateway Fabric 2.6.4.
For products without patches — Instance Manager, Ingress Controller, App Protect WAF/DoS — monitor F5 advisories for updates. No alternative mitigations for these products are documented in the brief.
Risk Context
F5 manages a base of 23,000+ customers, including 48 of the Fortune 50 and 80% of the Fortune Global 500. CISA has cataloged 7 F5 vulnerabilities as actively exploited, 4 in ransomware attacks. There are no confirmations of in-the-wild exploitation for CVE-2026-42530 and CVE-2026-42055 at the time of publication.
The breach suffered by F5 in August 2025, disclosed in October 2025, involved BIG-IP vulnerabilities and source code. F5 specified that NGINX was not among the accessed data.
Editorial Close
The June 17, 2026 out-of-band patches address a rare combination: maximum CVSS, conditional but concrete RCE, and a precedent of rapid exploitation in the same ecosystem. The ASLR condition is not a secondary technical detail but the discriminator between manageable DoS and remote compromise. Teams running NGINX in non-default configurations — HTTP/3 enabled or HTTP/2 proxy with extended header buffers — must treat this advisory as high priority, bearing in mind that patch availability is uneven across the product family.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html
- https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/
- https://gbhackers.com/f5-patches-nginx-vulnerability/amp/
- https://securityaffairs.com/193842/security/f5-patches-critical-nginx-vulnerabilities-enabling-unauthenticated-code-execution.html
- https://www.techtimes.com/articles/318683/20260619/nginx-vulnerability-patch-f5-fixes-critical-http-3-http-2-remote-code-execution-flaws.htm
- https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/
- https://www.cve.org/CVERecord?id=CVE-2026-42530
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence