F5 has issued out-of-band updates for multiple NGINX vulnerabilities, including critical flaws in ngx_http_v3_module and ngx_http_proxy_v2_module/ngx_http_grpc_module that could lead to denial of service or remote code execution on vulnerable systems. The company also patched high-severity issues in NGINX Gateway Fabric and provided mitigations for admins who cannot immediately apply the updates. #NGINX #F5 #CVE-2026-42530 #CVE-2026-42055 #CVE-2026-11311 #CVE-2026-50107
Keypoints
- F5 released out-of-band fixes for multiple NGINX security vulnerabilities.
- CVE-2026-42530 and CVE-2026-42055 are critical flaws affecting specific NGINX modules.
- Exploitation can cause denial of service or code execution in non-default configurations.
- Admins can mitigate by disabling HTTP/3 and adjusting header-related configuration settings.
- F5 also patched two high-severity NGINX Gateway Fabric flaws that allow directive injection.