MilikMilik

Two Critical NGINX Remote Code Execution Bugs Demand Fast Patching

Two Critical NGINX Remote Code Execution Bugs Demand Fast Patching
Minat|High-Quality Software

What These New NGINX Remote Code Execution Flaws Are

The latest NGINX remote code execution flaws are two critical vulnerabilities in HTTP/3 and HTTP/2 handling that allow unauthenticated attackers to run arbitrary code on servers using specific NGINX modules and configurations, placing internet-facing web infrastructure at immediate risk if patches or mitigations are not quickly applied. F5 has disclosed and patched both issues in NGINX Open Source and related products. CVE-2026-42530 is a use-after-free bug in ngx_http_v3_module triggered when HTTP/3 QUIC is enabled and a QPACK encoder stream is reopened via a crafted HTTP/3 session. CVE-2026-42055 is a heap-based buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module, reachable in certain HTTP/2 proxy configurations. Both flaws carry a CVSS v4 score of 9.2 and can be exploited for code execution on systems with Address Space Layout Randomization disabled or bypassed, making them critical for administrators to address.

Two Critical NGINX Remote Code Execution Bugs Demand Fast Patching

CVE-2026-42530: HTTP/3 QUIC Use-After-Free Explained

CVE-2026-42530 affects deployments using the HTTP/3 QUIC module in NGINX Open Source. The root problem is a use-after-free condition in ngx_http_v3_module that can be triggered when a remote attacker reopens a QPACK encoder stream through a specially crafted HTTP/3 session. In the right conditions, this memory error can be abused to run arbitrary code if Address Space Layout Randomization is disabled or the attacker can bypass it. The bug impacts NGINX Open Source 1.31.0–1.31.1 (fixed in 1.31.2), NGINX Gateway Fabric 2.0.0–2.6.3 (fixed in 2.6.4) and 1.3.0–1.6.2, NGINX Instance Manager 2.17.0–2.22.0, and NGINX Ingress Controller versions 3.5.0–3.7.2, 4.0.0–4.0.1, and 5.0.0–5.5.0. As an immediate mitigation, F5 recommends disabling HTTP/3 where patching cannot happen at once, since that removes the vulnerable code path.

CVE-2026-42055: HTTP/2 Proxy Buffer Overflow and Impact

CVE-2026-42055 targets HTTP/2 proxying in NGINX and is more wide-ranging. It is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules, and it is exposed when proxy_http_version is set to 2 or grpc_pass is in use, ignore_invalid_headers is explicitly set to off, and large_client_header_buffers has a size greater than 2 MB. Under those conditions, a remote unauthenticated attacker can trigger the overflow and potentially execute arbitrary code if ASLR is disabled or bypassed. Affected versions include NGINX Open Source 1.30.0–1.30.2 and 1.31.1 (fixed in 1.30.3 and 1.31.2), NGINX Plus 37.0.0–37.0.1 (fixed in 37.0.2.1) and R33–R36 (fixed in R36 P6), plus multiple NGINX App Protect WAF, DoS, Gateway Fabric, Instance Manager, and Ingress Controller releases. As a mitigation, F5 advises removing ignore_invalid_headers off or reducing large_client_header_buffers below 2 MB.

Real-World Risk: Why Immediate Updates Are Necessary

Even though F5 has not reported active exploitation of these two NGINX flaws, the real-world risk is high. F5 issues have been weaponized quickly in the past; according to The Hacker News, another critical bug, CVE-2026-42945 (known as NGINX Rift), came under active exploitation within days of disclosure. The broader security landscape also shows that attackers pivot quickly toward newly patched infrastructure issues, as seen with recent exploitation of Cisco CVE-2026-20230 and the SD-WAN zero-day CVE-2026-20245. Public advisories, proof-of-concept code, and common NGINX deployment patterns make it likely that internet-facing, unpatched servers will be probed. Organizations running HTTP/3 or HTTP/2 proxy configurations described in the advisories should assume they are at immediate exploitation risk and prioritize patching, especially where ASLR hardening is weaker or where attackers may chain these bugs with other access methods.

Patching and Configuration Guidance for Enterprise NGINX

For the HTTP/3 vulnerability fix, upgrade NGINX Open Source 1.31.x to 1.31.2 and NGINX Gateway Fabric 2.0.0–2.6.3 to 2.6.4; ensure affected Ingress Controller versions (3.5.0–3.7.2, 4.0.0–4.0.1, 5.0.0–5.5.0) and NGINX Instance Manager 2.17.0–2.22.0 are also moved to patched releases. For the HTTP/2 vulnerability and the CVE-2026-42530 patch coverage overlap, update NGINX Open Source 1.30.0–1.30.2 to 1.30.3 and 1.31.1 to 1.31.2, and NGINX Plus 37.0.0–37.0.1 to 37.0.2.1 or R33–R36 to R36 P6. Enterprise environments using NGINX App Protect WAF, F5 WAF for NGINX, and App Protect DoS should align with the specific fixed versions in vendor advisories. Where upgrade windows are delayed, disable HTTP/3, remove ignore_invalid_headers off, and reduce large_client_header_buffers size below 2 MB. Document these temporary changes and plan to revert them once fully patched versions are deployed across production, staging, and edge clusters.

Milik earns a commission when you shop through our links, at no extra cost to you. Editorial content is independently selected by our team.

You May Also Like

Comments
Katakan sesuatu...
Belum ada komen lagi. Jadi yang pertama berkongsi pendapat!