AI description
CVE-2026-42530 is a Use-After-Free vulnerability found in the `ngx_http_v3_module` of NGINX Open Source. This flaw allows a remote, unauthenticated attacker to exploit systems configured to use the HTTP/3 QUIC module. By sending a specially crafted HTTP/3 session, an attacker can force the reopening of a QPACK encoder stream, which can lead to a Use-After-Free condition in the NGINX worker process. Successful exploitation of this vulnerability can cause the NGINX worker process to restart, resulting in a denial-of-service (DoS) condition. Additionally, attackers may be able to execute arbitrary code on systems where Address Space Layout Randomization (ASLR) is disabled or can be bypassed. The vulnerability affects NGINX Open Source versions 1.31.0 through 1.31.1, as well as specific versions of NGINX Gateway Fabric, NGINX Instance Manager, and NGINX Ingress Controller. A recommended mitigation is to disable HTTP/3 by removing "quic" from all listen directives.
- Description
- NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- Source
- f5sirt@f5.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.2
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- f5sirt@f5.com
- CWE-416
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
14
F5 has released patches for two critical vulnerabilities in NGINX Open Source, CVE-2026-42530 and CVE-2026-42055, both with a CVSS v4 score of 9.2. These flaws could allow remote code execution on affected systems. Administrators are urged to apply the updates promptly to secure
@dailytechonx
18 Jun 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Two critical NGINX flaws can lead to remote code execution. F5 has patched: • CVE-2026-42530 (HTTP/3 use-after-free) • CVE-2026-42055 (HTTP/2 heap buffer overflow) Both require specific configurations and ASLR bypass conditions. Details here → https://t.co/x1251rhB3
@TheHackersNews
18 Jun 2026
8280 Impressions
22 Retweets
60 Likes
21 Bookmarks
0 Replies
4 Quotes
قابل توجه ادمین های وب سرور Nginx : برای وب سرور Nginx ، دو آسیب پذیری با کدهای شناسایی CVE-2026-42530 و CVE-2026-42055 منتشر شده است . این آسیب پذیری ها از نوع RCE و DOS می باشند ک
@EthicalSafe
18 Jun 2026
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
F5 Patches Critical NGINX Vulnerabilities Enabling Unauthenticated Code Execution: F5 released emergency updates for critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) that could enable unauthenticated code execution. F5 has issued out-of-band patches… https://t.co/Egh8TpmJV
@shah_sheikh
18 Jun 2026
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Edge patch watch: F5 released out-of-band updates for NGINX flaws including CVE-2026-42530 and CVE-2026-42055. SecurityWeek says unauthenticated remote attackers can trigger DoS, with code execution possible in some conditions. #NGINX #Cyber https://t.co/6blR5xlopn
@Divinmentis
18 Jun 2026
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
2 Replies
0 Quotes
NGINXなどF5製品群で複数の脆弱性。 High CVEsは以下4件 CVE-2026-42530 CVE-2026-42055 CVE-2026-11311 CVE-2026-50107 K000161614: Out-of-band Security Notification (June 17, 2026) https://t.co/cu9fv9gL8u
@autumn_good_35
18 Jun 2026
208 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Nginx 1.31.2 yayınlandı. Öne çıkan yamalar: • HTTP/3 + QUIC tarafında use-after-free açığı (CVE-2026-42530) • HTTP/2/gRPC proxy senaryolarında heap overflow riski (CVE-2026-42055) • charset_map UTF-8 işleme kaynaklı memory overread (CVE-2026-48142) Mutl
@ridvanyagli
18 Jun 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NGINX CVE-2026-42530 & CVE-2026-42055: F5 Critical Patches F5 released out-of-band patches on June 18, 2026 for four NGINX flaws, including two CVSS… Read more: https://t.co/0exuxzle00 #Nginx #F5 #Cve #RemoteCodeExecution
@navanem
18 Jun 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 F5 issues emergency patches for two critical NGINX vulnerabilities that could let unauthenticated attackers crash servers or execute code 🔹 CVE-2026-42530 & CVE-2026-42055 affect NGINX Plus, Open Source, Gateway Fabric & Instance Manager 🔹 No active exploitati
@techepages
18 Jun 2026
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
2026-06-17 nginx-1.30.3 stable and nginx-1.31.2 mainline versions have been released, (CVE-2026-42530),(CVE-2026-48142),(CVE-2026-42055), fix https://t.co/7HtZYwRWiH
@hacker_infra
17 Jun 2026
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
nginx 1.30.3 and 1.31.2 released to fix CVE-2026-42055, CVE-2026-48142 and CVE-2026-42530 https://t.co/8dCg0h930B
@jedisct1
17 Jun 2026
681 Impressions
2 Retweets
10 Likes
0 Bookmarks
0 Replies
1 Quote