F5 Alerts Customers About Critical NGINX Vulnerabilities
F5 Networks has issued an important out-of-band security notification highlighting multiple high-severity vulnerabilities related to NGINX components that pose significant threats, including potential remote code execution (RCE) and denial-of-service (DoS) attacks. The company has urged its customers to promptly patch or upgrade their affected systems to mitigate these risks.
On June 17, 2026, F5 officially released the security notification identified as K000161614. This document provides a comprehensive summary of several high- and medium-severity flaws identified across various NGINX components including NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and associated App Protect Web Application Firewall and DoS modules. Recognizing the high stakes involved, F5 updated the advisory on June 18, emphasizing the critical vulnerabilities associated with HTTP/2, HTTP/3, and gRPC traffic handling paths.
The urgency of this advisory is underscored by its repercussions within the cybersecurity community, garnering attention from national Computer Emergency Response Teams (CERTs). F5’s notification serves as a vital supplement to its regular Quarterly Security Notifications, pointing to the necessity for immediate action among users of affected products.
Critical Vulnerability in NGINX HTTP/3 Module
Among the vulnerabilities, the most critical is tracked as CVE-2026-42530. This flaw targets the NGINX ngx_http_v3_module when configured to utilize the HTTP/3 QUIC module. It presents a significant risk where a remote, unauthenticated attacker could exploit specially crafted HTTP/3 traffic that reopens a QPACK encoder stream. This exploitation can trigger a use-after-free condition within the NGINX worker process, leading to crashes and disruptions. Moreover, it poses an additional threat of enabling code execution on systems that do not have Address Space Layout Randomization (ASLR) enabled or suitably hardened against such exploits.
This particular bug has been assigned a CVSS v3.1 base score of 8.1 and a CVSS v4.0 base score of 9.2, categorizing it within the high-to-critical severity range.
Additional High-Severity Issues
Another notable vulnerability, cataloged as CVE-2026-42055, affects both NGINX Plus and the Open Source version when employing the ngx_http_proxy_v2_module or gRPC module with HTTP/2 backends. When the configuration allows for proxies with HTTP/2 streams, potential exploits through malformed or malicious streams could lead to memory-handling flaws, resulting in crashes and potentially enabling code execution under specific environment conditions. It carries identical CVSS ratings as the HTTP/3 vulnerability, illustrating the seriousness of the issue.
Moreover, F5 has reported multiple high-severity vulnerabilities in NGINX Gateway Fabric, including CVE-2026-11311 and CVE-2026-50107. These reported flaws can result in routing instability, service disruptions, and overall integrity and availability issues within service-mesh and gateway deployments. F5 has advised that fixes are available in Gateway Fabric version 2.6.4, now recommended for all affected customers.
Consolidated High CVE Matrix
F5 has provided a detailed matrix listing important technical details concerning the high-severity CVEs, including their associated CVSS scores, affected products and versions, and available fixes. This information serves as an essential resource for administrators working to secure their systems.
F5 strongly recommends that organizations upgrade to the latest versions of various NGINX offerings, including NGINX Open Source to 1.31.2 and NGINX Plus to 37.0.2.1. For those unable to promptly patch their systems, interim measures are advised. These include disabling HTTP/3 support, restricting HTTP/2 and gRPC usage, implementing strict access controls, and enhancing ASLR configurations.
Administrators are encouraged to stay vigilant by monitoring F5’s security notifications and vendor communication channels, ensuring they remain informed about the latest updates and exploitation status changes. As cyber threats continue to evolve, proactive measures and timely updates become crucial to maintaining system integrity and resilience against potentially devastating attacks.