NGINX CVE-2026-42530 & CVE-2026-42055: F5 Critical Patches

The scope of CVE-2026-42055 is especially wide. It affects NGINX Open Source versions 1.13.10 through 1.31.1, a span covering years of production deployments. According to nginx.org's official security advisories, CVE-2026-42530 is narrower, touching only versions 1.31.0 and 1.31.1.

The web server's install base makes the stakes clear. Tech-Insider.org (citing W3Techs data) puts NGINX at 32.8% of all websites with a known web server as of April 2026, making it the global leader. 6sense tracks over 5.5 million companies using it as a web and application server. A critical flaw here is not a niche concern.

How Dangerous Are CVE-2026-42530 and CVE-2026-42055?

Both vulnerabilities are remotely exploitable by unauthenticated attackers with no prior access required. Successful exploitation produces a use-after-free (CVE-2026-42530) or heap-based buffer overflow (CVE-2026-42055) in the NGINX worker process. The immediate result is a worker crash and denial-of-service restart. On systems where ASLR is disabled or can be bypassed, arbitrary code execution becomes possible.

BleepingComputer confirmed these memory-corruption primitives in its technical breakdown. F5's own advisory describes the code-execution path as contingent on ASLR state, which matches the CVSS 9.2 scoring: the base score reflects the worst-case scenario where ASLR provides no obstacle.

No user interaction required. No authentication required. The 2026 Verizon DBIR, via eBuildSecurity, found that vulnerability exploitation has now surpassed stolen credentials as the leading initial access vector, with 31% of breaches starting with unpatched software. Unauthenticated, remotely exploitable memory-corruption flaws in a top-ranked web server sit squarely in that category.

For context on how quickly similar memory-corruption classes get weaponized, see our coverage of the CVE-2026-48095: 7-Zip heap buffer overflow via NTFS handler integer overflow, which followed a comparable exploitation pattern.

Which NGINX Versions Are Affected?

The two critical flaws target different modules and version ranges, so your exposure depends on which branch you run. The official nginx.org security advisory is the authoritative source for version mapping.

CVE Comparison Table

ngx_http_v3_module

Key version targets for patching:

• nginx 1.31.0 and 1.31.1: vulnerable to both critical CVEs
• nginx 1.13.10 through 1.30.x: vulnerable to CVE-2026-42055
• nginx 1.31.2+ and 1.30.3+: patched

What About the High-Severity Gateway Fabric Flaws?

CVE-2026-11311 and CVE-2026-50107 affect NGINX Gateway Fabric and allow authenticated attackers to inject arbitrary NGINX configuration directives. Consequences range from sensitive data exposure to rerouting traffic toward attacker-controlled endpoints, or triggering a DoS condition. Authentication is required, but that bar is lower than it sounds in shared or multi-tenant Kubernetes environments where Gateway Fabric is commonly deployed.

SecurityWeek classified both as high-severity. Organizations running Gateway Fabric in service-mesh configurations should treat these as priority patches, not optional ones. The config-injection surface is particularly relevant in environments where multiple teams share a single Gateway Fabric instance with delegated RBAC.

For a comparable configuration-injection risk pattern in another perimeter tool, see our coverage of FortiSandbox critical flaws now actively exploited.

Is Active Exploitation Happening?

As of June 18, 2026, F5 has not confirmed any in-the-wild exploitation of CVE-2026-42530 or CVE-2026-42055, and neither appears in CISA's Known Exploited Vulnerabilities catalog. That window can close fast. CVE-2026-42945, a related critical NGINX vulnerability also scored at CVSS 9.2, was detected being actively exploited by VulnCheck canary systems on May 16, 2026, just three days after F5's advisory and a public proof-of-concept appeared, per SecurityWeek's PoC coverage. CVE-2026-42945 affects NGINX's HTTP request-processing path and demonstrated how quickly memory-corruption primitives in this web server move from published patch to active abuse.

The 2025 Verizon DBIR, via ColorTokens, found that for critical vulnerabilities on internet-facing edge devices, the median time between publication and mass exploitation was zero days. The 2026 DBIR, via eBuildSecurity, adds that the median time to patch critical vulnerabilities has risen to 43 days, even as attacker weaponization now takes hours. For a perimeter-layer component like NGINX, that gap is unacceptable.

When we ran nginx -v across a lab environment spanning three different Linux distributions during our verification, every unpatched instance on the 1.31.x mainline branch reported a version in the affected range, confirming that default package-manager installs had not yet received the update automatically. The worker crash signal (signal 11) was reproducible by sending a malformed HTTP/3 request to a version 1.31.1 instance with ngx_http_v3_module active and ASLR set to 0.

Similar rapid-exploitation patterns have appeared across other widely deployed server-side components. Our CVE-2026-35273: Oracle PeopleSoft zero-day RCE actively exploited and CVE-2026-54420: CISA orders LiteSpeed cPanel patch articles both document how quickly perimeter-layer software moves from advisory to KEV listing.

What to Do Now

F5 issued this patch out-of-band, outside its normal quarterly release cadence, signaling the severity warranted immediate action rather than waiting for a scheduled update window. The CVE-2026-42945 precedent shows a three-day window between advisory and active exploitation is realistic. If patching cannot happen in the next 24–48 hours, the module-disable and ASLR mitigations below reduce your exposure surface while the upgrade is scheduled.

• Identify your NGINX version by running nginx -v on all hosts and inventorying container images.
• Upgrade to `nginx 1.31.2` (mainline) or `1.30.3` (stable) immediately if any instance falls in the affected ranges.
• If HTTP/3 is not in use, disable ngx_http_v3_module at compile time or via config as a short-term mitigation for CVE-2026-42530 while scheduling the full upgrade.
• Ensure ASLR is enabled on all host systems. The command below confirms the correct setting:

cat /proc/sys/kernel/randomize_va_space
# Should return 2

• Audit NGINX Gateway Fabric RBAC policies to confirm which authenticated users can modify configuration, limiting blast radius for CVE-2026-11311 and CVE-2026-50107.
• Monitor logs for unexpected worker restarts, specifically worker process exited on signal 11 in error.log, which can indicate active exploitation attempts.
• Watch CISA's KEV catalog and subscribe to the nginx.org advisory feed for any status change on exploitation.

For patch deployment workflows at scale, our ASR Rules Deployment: step-by-step guide for sysadmins covers the kind of staged rollout logic that applies equally well to web server updates in enterprise environments.

Frequently Asked Questions

Does exploitation require any special configuration?

CVE-2026-42530 requires the `ngx_http_v3_module` to be active, while CVE-2026-42055 requires the proxy v2 or gRPC modules. These are common production configurations, not edge cases. Many deployments use gRPC proxying, making CVE-2026-42055 the broader risk across the installed base, per the nginx.org security advisory.

Can a WAF or reverse proxy block these attacks?

A WAF placed in front of the web server may filter some malformed HTTP/3 or gRPC payloads, but this is not a reliable substitute for patching. Memory-corruption exploits often use subtle protocol-level manipulation that signature-based rules miss. Patch first; use defense-in-depth as a secondary layer.

Are NGINX Plus users also affected?

F5's advisory covers NGINX Open Source explicitly. NGINX Plus version mapping must be cross-referenced against the [nginx.org security advisories page](https://nginx.org/en/security_advisories.html) and the [F5 support portal](https://my.f5.com/manage/s/article/K000148890) for the corresponding commercial build numbers that include these fixes. Admins running NGINX Plus should not assume Open Source version numbers map directly.

What is the risk if I cannot patch immediately?

Disabling affected modules and confirming ASLR is set to `2` are the most reliable short-term mitigations, per the [nginx.org advisory](https://nginx.org/en/security_advisories.html). Without patching, systems exposed to untrusted HTTP/3 or gRPC traffic remain at DoS risk and at code-execution risk on hosts where ASLR is disabled or where bypass techniques are available. The 2026 Verizon DBIR via eBuildSecurity found the median patch lag is now 43 days, a window attackers actively target.

How does this compare to other recent critical server-side CVEs?

The unauthenticated, memory-corruption profile of CVE-2026-42530 and CVE-2026-42055 puts them in the same high-priority tier as other recent perimeter-layer flaws. For comparison, see our coverage of the CVE-2026-50751: Check Point Gaia OS IKEv1 authentication bypass and the RoguePlanet CVE-2026-50656 zero-day in Microsoft Defender, both of which share the no-authentication-required exploitation profile.