F5 has released security patches addressing two critical vulnerabilities in NGINX Open Source that could allow attackers to achieve remote code execution (RCE) on vulnerable servers. Given NGINX's role as one of the world's most widely deployed web servers and reverse proxies, the impact surface is substantial.
Vulnerability Details
CVE-2026-42530 — CVSS v4: 9.2 (Critical)
The most severe flaw is a use-after-free vulnerability in the ngx_http_v3_module, the component responsible for handling HTTP/3 (QUIC) connections.
How it works: A use-after-free occurs when a program continues to reference memory that has already been freed. An unauthenticated attacker can trigger this condition by sending specially crafted HTTP/3 requests, potentially leading to arbitrary code execution in the context of the NGINX worker process.
Attack conditions:
- HTTP/3 must be enabled on the target server (not default in all deployments)
- No authentication required
- Network-accessible from the internet in most production deployments
Second Critical Flaw
A second critical vulnerability was also addressed in the same security advisory. While full technical details are still being analyzed, F5 has classified it at a similar severity level and recommends immediate patching regardless of HTTP/3 configuration.
Affected Versions
The vulnerabilities affect NGINX Open Source across multiple stable and mainline release branches. F5 has published a full list of affected version ranges in its security advisory. Administrators running any NGINX version released before the patched builds should treat this as urgent.
Remediation
Immediate action required:
- Update NGINX to the patched version released June 18, 2026 — consult the official F5 NGINX security advisory for exact version numbers
- Disable HTTP/3 if not required (
listen 443 quicdirectives) as a temporary mitigation for CVE-2026-42530 - Review firewall rules — consider blocking UDP port 443 at the network perimeter if HTTP/3 is unused
- Monitor for exploitation — watch for unusual QUIC/UDP traffic patterns in web server access logs
Why This Is High Priority
NGINX powers an estimated 30–35% of all web servers globally, including deployment as a reverse proxy in front of application servers, Kubernetes ingresses, API gateways, and CDN edge nodes. A critical RCE in NGINX's HTTP/3 handling could be exploited against:
- Public-facing web applications
- Internal API gateways
- Load balancers and reverse proxies
- Container orchestration ingress controllers
HTTP/3 adoption has been accelerating since browsers enabled it by default, meaning more production deployments now have the ngx_http_v3_module active than ever before.
Patch Now
F5 and NGINX security teams are urging all administrators to apply the patches immediately. There is no confirmed public exploit code at time of publication, but given NGINX's ubiquity and the critical CVSS score, weaponization is considered a near-term risk.