F5 Ships Emergency NGINX Updates to Fix Critical Flaws

Cybersecurity firm F5 has issued emergency patches for several vulnerabilities in its NGINX web server products, among them two critical issues that unauthenticated remote attackers could reportedly leverage to trigger denial-of-service conditions or achieve code execution on systems running non-default configurations.

Critical vulnerabilities enable use-after-free and buffer overflow attacks. The problems, tracked as CVE-2026-42530 affecting the ngx_http_v3_module and CVE-2026-42055 impacting the ngx_http_proxy_v2_module plus ngx_http_grpc_module, reportedly produce a use-after-free condition or heap-based buffer overflow inside the NGINX worker process. This forces a restart and, according to F5, can "execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR."

Patches issued across NGINX product lineup. The company delivered fixes for NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, NGINX Instance Manager and additional offerings. In the same release cycle F5 also resolved two high-severity issues in NGINX Gateway Fabric, CVE-2026-11311 and CVE-2026-50107, that authenticated attackers could exploit to inject arbitrary NGINX configuration directives.

Mitigation steps available for delayed patching. Organizations unable to deploy the updates right away can limit exposure to CVE-2026-42530 by disabling HTTP/3 and removing the quic parameter from every listen directive. For CVE-2026-42055 administrators should eliminate the ignore_invalid_headers off setting and shrink the large_client_header_buffers value to less than 2 megabytes.

F5 products have faced repeated exploitation in recent years. Although the vendor has not reported active exploitation of these particular vulnerabilities, its portfolio has drawn repeated attention from both cybercrime and nation-state actors. Past campaigns have involved network breaches, deployment of data-wiping malware, internal network mapping, device hijacking and theft of sensitive files. F5 separately disclosed that state-backed intruders compromised its environment in August 2025 and exfiltrated undisclosed BIG-IP vulnerabilities together with source code. Over the past several years the U.S. Cybersecurity and Infrastructure Security Agency has listed seven F5 flaws as actively exploited, four of them in ransomware incidents.