F5 and NGINX: F5 Patches NGINX Vulnerability Enabling Code Execution and DoS Attacks

F5 Patches Critical NGINX Vulnerabilities Enabling RCE and DoS Attacks

On June 17, 2026, F5 issued an out-of-band security advisory (K000161614) addressing multiple high-severity vulnerabilities in NGINX components, including Open Source, NGINX Plus, NGINX Instance Manager, and related modules. The flaws, which could lead to remote code execution (RCE) and denial-of-service (DoS) attacks, prompted urgent patching recommendations from F5 and national CERTs.

The most severe issue, CVE-2026-42530 (CVSS 8.1/9.2), affects the NGINX ngx_http_v3_module when HTTP/3 QUIC is enabled. A remote attacker could exploit a use-after-free flaw in the QPACK encoder stream to crash NGINX worker processes, causing DoS or potential RCE on systems with disabled or bypassable ASLR. Affected versions include NGINX Open Source (1.31.0–1.31.1), NGINX Gateway Fabric (2.0.0–2.6.3), and NGINX Ingress Controller (5.0.0–5.5.0), with fixes available in NGINX Open Source 1.31.2 and Gateway Fabric 2.6.4.

A second high-severity flaw, CVE-2026-42055 (CVSS 8.1/9.2), impacts NGINX Plus and Open Source when using the ngx_http_proxy_v2_module or gRPC with HTTP/2 backends. Malicious HTTP/2 or gRPC traffic could trigger memory-handling errors, leading to crashes or RCE. Patched versions include NGINX Plus 37.0.2.1 and NGINX Open Source 1.31.2/1.30.3, though some products like NGINX Instance Manager and App Protect modules remain unpatched.

Additional vulnerabilities in NGINX Gateway Fabric (CVE-2026-11311, CVE-2026-50107) could disrupt routing and service integrity, with fixes available in version 2.6.4. F5 recommends immediate upgrades for affected deployments and interim mitigations, such as disabling HTTP/3/QUIC, restricting HTTP/2/gRPC exposure, and enforcing access controls. Administrators are advised to monitor F5’s security notifications for further updates.

Source: https://gbhackers.com/f5-patches-nginx-vulnerability/

F5 TPRM report: https://www.rankiteo.com/company/f5

NGINX TPRM report: https://www.rankiteo.com/company/nginx

"id": "ngif51781792829",
"linkid": "nginx, f5",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Cybersecurity/Networking',
                        'name': 'F5',
                        'type': 'Technology Company'}],
 'attack_vector': ['HTTP/3 QUIC', 'HTTP/2/gRPC traffic'],
 'date_publicly_disclosed': '2026-06-17',
 'description': 'On June 17, 2026, F5 issued an out-of-band security advisory '
                '(K000161614) addressing multiple high-severity '
                'vulnerabilities in NGINX components, including Open Source, '
                'NGINX Plus, NGINX Instance Manager, and related modules. The '
                'flaws could lead to remote code execution (RCE) and '
                'denial-of-service (DoS) attacks, prompting urgent patching '
                'recommendations from F5 and national CERTs.',
 'impact': {'operational_impact': ['Service disruption',
                                   'Potential system crashes'],
            'systems_affected': ['NGINX Open Source (1.31.0–1.31.1)',
                                 'NGINX Plus',
                                 'NGINX Instance Manager',
                                 'NGINX Gateway Fabric (2.0.0–2.6.3)',
                                 'NGINX Ingress Controller (5.0.0–5.5.0)']},
 'post_incident_analysis': {'corrective_actions': ['Patching vulnerable NGINX '
                                                   'components',
                                                   'Disabling vulnerable '
                                                   'protocols (HTTP/3/QUIC, '
                                                   'HTTP/2/gRPC) where '
                                                   'possible'],
                            'root_causes': ['Use-after-free flaw in QPACK '
                                            'encoder stream (CVE-2026-42530)',
                                            'Memory-handling errors in '
                                            'HTTP/2/gRPC traffic '
                                            '(CVE-2026-42055)']},
 'recommendations': ['Immediate upgrades for affected deployments',
                     'Monitor F5’s security notifications for updates'],
 'references': [{'source': 'F5 Security Advisory'}],
 'response': {'communication_strategy': 'F5 security advisory (K000161614) and '
                                        'national CERT recommendations',
              'containment_measures': ['Disabling HTTP/3/QUIC',
                                       'Restricting HTTP/2/gRPC exposure',
                                       'Enforcing access controls'],
              'remediation_measures': ['Patching to NGINX Open Source '
                                       '1.31.2/1.30.3',
                                       'Upgrading NGINX Plus to 37.0.2.1',
                                       'Upgrading NGINX Gateway Fabric to '
                                       '2.6.4']},
 'title': 'F5 Patches Critical NGINX Vulnerabilities Enabling RCE and DoS '
          'Attacks',
 'type': ['Remote Code Execution (RCE)', 'Denial-of-Service (DoS)'],
 'vulnerability_exploited': ['CVE-2026-42530',
                             'CVE-2026-42055',
                             'CVE-2026-11311',
                             'CVE-2026-50107']}

F5 and NGINX: F5 Patches NGINX Vulnerability Enabling Code Execution and DoS Attacks

Horizon Family Medical Group: Horizon Family Medical GroupData Breach?

Harcourts: Exclusive: Harcourts allegedly hacked by SafePay ransomware

LinkedIn and Have I Been Pwned: Have I Been Pwned’s Post