CVE-2026-42530: NGINX HTTP/3 QUIC Use-after-Free Allows RCE (CVSS 9.2)

TL;DR

• CVE-2026-42530 is a critical (CVSS 9.2) Use-after-Free (CWE-416) in NGINX Open Source's ngx_http_v3_module.
• A remote, unauthenticated attacker can craft an HTTP/3 session to reopen a QPACK encoder stream, freeing memory that is still referenced by the worker process.
• The primary impact is a worker process crash (denial of service); code execution is possible when ASLR is disabled or can be bypassed.
• No confirmed in-the-wild exploitation exists at the time of writing; it is not listed in the CISA KEV catalog.
• Apply the vendor patch described in the F5 security advisory K000161616 immediately, or disable the HTTP/3 QUIC listener as an interim workaround.

---

What is CVE-2026-42530?

CVE-2026-42530 is a Use-after-Free memory corruption flaw in the ngx_http_v3_module module of NGINX Open Source. When HTTP/3 over QUIC is enabled, a remote unauthenticated attacker can send a specially crafted HTTP/3 session that causes the QPACK encoder stream to be reopened, referencing memory that has already been freed inside the NGINX worker process.

A Use-after-Free (CWE-416) occurs when a program continues to use a pointer after the memory it references has been freed. In NGINX's case, the freed worker-process memory can be leveraged to crash the process or, under specific conditions, to redirect execution flow toward attacker-controlled data.

---

Who is affected?

The vulnerability affects the following product when it is explicitly configured to serve HTTP/3 traffic:

• F5 NGINX Open Source - any version with ngx_http_v3_module compiled in and a listen ... quic directive active.

Key scoping notes:

• Deployments running only HTTP/1.1 or HTTP/2 (no QUIC/HTTP/3 listener) are not vulnerable.
• Versions that have reached End of Technical Support (EoTS) are excluded from F5's evaluation scope but should be considered at risk.
• NGINX Plus users should check the F5 advisory directly for their branch guidance.

---

How severe is it?

CVSS 4.0 base score: 9.2 (Critical) Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Breaking down the key metrics:

• Attack Vector: Network - exploitation requires no physical or local access; the attacker only needs to reach the QUIC/UDP port (typically 443).
• Attack Complexity: High - success depends on conditions beyond the attacker's full control, such as precise heap state or the ability to reopen the encoder stream in a specific sequence.
• Privileges Required / User Interaction: None - no account credentials and no victim interaction are needed.
• Confidentiality, Integrity, Availability: High - in the worst-case (ASLR disabled), all three CIA properties are at risk. In the common case, availability is the primary concern due to worker process restarts.

The High AC score reflects that reliable exploitation is non-trivial, but the severity remains critical because no authentication barrier exists and network-accessible HTTP/3 endpoints are widely deployed.

---

Is it being exploited?

No confirmed exploitation is known at this time. CVE-2026-42530 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date of this analysis. No public proof-of-concept or active threat-actor campaigns have been reported.

However, the attack surface is broad - public-facing NGINX servers with HTTP/3 enabled are reachable by any internet user - and the denial-of-service primitive (worker crash) is relatively low-bar to trigger compared to full code execution. Organizations should treat the patching timeline as urgent regardless of current exploitation status.

---

How to fix and mitigate it

1. Apply the vendor-supplied patch. Follow the remediation steps in the official F5 security advisory K000161616. Do not rely on a specific version number from third-party sources - use the advisory to confirm the correct patched build for your branch.

2. Disable HTTP/3 if patching is not immediately possible. Comment out or remove the QUIC listener from your NGINX configuration, then reload:

# Before (vulnerable configuration):
server {
    listen 443 quic reuseport;
    listen 443 ssl;
    # ...
}

# After (interim workaround - HTTP/3 disabled):
server {
    # listen 443 quic reuseport;  <-- commented out
    listen 443 ssl;
    # ...
}

nginx -t && systemctl reload nginx

3. Ensure ASLR is enabled on all NGINX hosts. Even if exploitation of this specific CVE requires additional conditions, ASLR is a baseline hardening control that raises the bar for all memory-corruption attacks:

# Verify ASLR is enabled (value should be 2)
cat /proc/sys/kernel/randomize_va_space

# Enable if not already set
echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

4. Restrict UDP/443 at the network perimeter to known client ranges if your HTTP/3 audience is bounded (e.g., internal services). This does not replace patching but reduces exposure.

5. Monitor F5 advisories and the CISA KEV catalog for status changes that may indicate active exploitation and accelerate your patching SLA.

---

How to detect exposure

• Check for active HTTP/3 listeners:

nginx -T 2>/dev/null | grep -i 'quic\|http3\|ngx_http_v3'

• Confirm the module is compiled in:

nginx -V 2>&1 | grep 'http_v3'

• Review access logs for HTTP/3 traffic. Many log formats include the protocol version; filter for QUIC/HTTP/3 sessions to understand exposure volume:

grep 'HTTP/3' /var/log/nginx/access.log | wc -l

• Watch for unexpected worker restarts in system logs, which can be an early indicator that the denial-of-service primitive is being triggered:

journalctl -u nginx --since '24 hours ago' | grep -i 'worker process.*exited\|signal'

• Deploy EDR or auditd rules to alert on abnormal memory access patterns or unexpected child process spawning from the NGINX worker binary.

---

Frequently asked questions

Does CVE-2026-42530 affect all NGINX installations?

No. Only NGINX Open Source instances actively configured to use the HTTP/3 QUIC module are vulnerable. Standard HTTP/1.1 or HTTP/2 deployments without the ngx_http_v3_module enabled are not affected by this specific flaw.

Can an attacker reliably execute code through CVE-2026-42530?

Full remote code execution requires ASLR to be disabled on the host, or the attacker must independently bypass ASLR. Without meeting those conditions, the most likely outcome is a NGINX worker process crash and restart, causing a denial-of-service impact.

Is CVE-2026-42530 listed in the CISA Known Exploited Vulnerabilities catalog?

No. As of the time of writing, CVE-2026-42530 is not listed in the CISA KEV catalog and no confirmed in-the-wild exploitation has been publicly reported. That status can change, so monitor CISA KEV and F5 advisories regularly.

What is the fastest interim mitigation if patching is not immediately possible?

Disable the HTTP/3 QUIC listener in your NGINX configuration by removing or commenting out the listen ... quic directive and reloading NGINX. This eliminates the attack surface entirely while a patched build is prepared and tested.