F5 has released patches for two critical NGINX Open Source vulnerabilities, CVE-2026-42530 and CVE-2026-42055, that could allow remote unauthenticated attackers to execute code under certain configurations. The company also advised mitigations such as disabling HTTP/3 or changing header-related settings, while noting no confirmed in-the-wild exploitation for these flaws. #NGINX #F5 #CVE-2026-42530 #CVE-2026-42055 #NGINXRift
Keypoints
- F5 fixed two critical code-execution flaws in NGINX Open Source.
- CVE-2026-42530 affects the HTTP/3 QUIC module through a use-after-free issue.
- CVE-2026-42055 affects proxy_http_version 2 and grpc_pass traffic with a heap-based buffer overflow.
- Multiple NGINX-related products and versions require updates to remediate the issues.
- F5 recommends disabling HTTP/3 or adjusting header settings as temporary mitigations.
Read More: https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html