{"id":1369,"date":"2026-06-18T19:35:49","date_gmt":"2026-06-18T19:35:49","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1369"},"modified":"2026-06-18T19:35:49","modified_gmt":"2026-06-18T19:35:49","slug":"f5-patches-two-critical-nginx-open-source-flaws-enabling-remote-code-execution","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1369","title":{"rendered":"F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 18, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Cloud Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxYclMMaAOBe1jlW_s0S1SfdX3sPrGB9MZ7R9Hfo2ktoF9DiLqPA5ZYmFAyGmzws5eNmqopdPw7bBV7TTO8KgS2C8CJU8cgHNXw0ERAvk8sGRLYXH7M98eqxDM9c-rQTU0Hlj8ISEmSWMCnw6OqJMyhgxxLHCFPwP1JugZ3bCJow7AfTZ40kOo8XpY3WdF\/s1700-e365\/f5.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.<\/p>\n<p>The vulnerabilities are listed below &#8211;<\/p>\n<ul>\n<li><b><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-42530\">CVE-2026-42530<\/a><\/b> (CVSS v4 score: 9.2) &#8211; A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP\/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP\/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.<\/li>\n<li><b><a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2026-42055\">CVE-2026-42055<\/a><\/b> (CVSS v4 score: 9.2) &#8211; A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP\/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Both shortcomings have been patched in the following versions &#8211;<\/p>\n<ul>\n<li>\n    <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000161616\"><br \/>\n      CVE-2026-42530<br \/>\n    <\/a><br \/>\n    &#8211;<\/p>\n<ul>\n<li>NGINX Open Source 1.31.0 &#8211; 1.31.1 (Fixed in 1.31.2)<\/li>\n<li>NGINX Gateway Fabric 2.0.0 &#8211; 2.6.3 (Fixed in 2.6.4)<\/li>\n<li>NGINX Gateway Fabric 1.3.0 &#8211; 1.6.2<\/li>\n<li>NGINX Instance Manager 2.17.0 &#8211; 2.22.0<\/li>\n<li>NGINX Ingress Controller 5.0.0 &#8211; 5.5.0<\/li>\n<li>NGINX Ingress Controller 4.0.0 &#8211; 4.0.1<\/li>\n<li>NGINX Ingress Controller 3.5.0 &#8211; 3.7.2<\/li>\n<\/ul>\n<\/li>\n<li>\n    <a href=\"https:\/\/my.f5.com\/manage\/s\/article\/K000161584\"><br \/>\n      CVE-2026-42055<br \/>\n    <\/a><br \/>\n    &#8211;<\/p>\n<ul>\n<li>NGINX Plus 37.0.0 &#8211; 37.0.1 (Fixed in 37.0.2.1)<\/li>\n<li>NGINX Plus R33 &#8211; R36 (Fixed in R36 P6)<\/li>\n<li>NGINX Open Source 1.31.1 (Fixed in 1.31.2)<\/li>\n<li>NGINX Open Source 1.30.0 &#8211; 1.30.2 (Fixed in 1.30.3)<\/li>\n<li>NGINX Instance Manager 2.17.0 &#8211; 2.22.0<\/li>\n<li>F5 WAF for NGINX 5.9.0 &#8211; 5.13.1<\/li>\n<li>NGINX App Protect WAF 5.2.0 &#8211; 5.8.0<\/li>\n<li>NGINX App Protect WAF 4.10.0 &#8211; 4.16.0<\/li>\n<li>F5 DoS for NGINX 4.9.0<\/li>\n<li>NGINX App Protect DoS 4.3.0 &#8211; 4.7.0<\/li>\n<li>NGINX Gateway Fabric 2.0.0 &#8211; 2.6.3 (Fixed in 2.6.4)<\/li>\n<li>NGINX Gateway Fabric 1.3.0 &#8211; 1.6.2<\/li>\n<li>NGINX Ingress Controller 5.0.0 &#8211; 5.5.0<\/li>\n<li>NGINX Ingress Controller 4.0.0 &#8211; 4.0.1<\/li>\n<li>NGINX Ingress Controller 3.5.0 &#8211; 3.7.2<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>As mitigations, F5 has outlined the following actions &#8211;<\/p>\n<ul>\n<li>CVE-2026-42530 &#8211; Disable HTTP\/3<\/li>\n<li>CVE-2026-42055 &#8211; Remove the ignore_invalid_headers off directive from the configuration, or reduce the large_client_header_buffers directive size below 2 MB<\/li>\n<\/ul>\n<p>Although F5 makes no mention of the vulnerabilities being exploited in the wild, security flaws in F5 products have been repeatedly exploited by bad actors.<\/p>\n<p>As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (CVE-2026-42945, CVSS score: 9.2), also called NGINX Rift, came under active exploitation within days after public disclosure.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 18, 2026Vulnerability \/ Cloud Security F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[10,58,524,13,11,1230,681,57,12,1000],"class_list":["post-1369","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-code","tag-critical","tag-enabling","tag-execution","tag-flaws","tag-nginx","tag-open","tag-patches","tag-remote","tag-source"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1369"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1369\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1370"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1369"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1369"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}