Urgent Security Advisory: Critical Remote Code Execution and DoS Vulnerabilities in NGINX Components
F5 has issued an emergency out-of-band security notification following the discovery of several high-severity vulnerabilities within the NGINX ecosystem. These flaws, which impact a wide range of products from NGINX Open Source to the NGINX Gateway Fabric, present significant risks including Remote Code Execution (RCE) and Denial-of-Service (DoS). Given the potential for exploitation, immediate patching or configuration hardening is strongly advised.
On June 17, 2026, F5 released advisory K000161614, providing a comprehensive overview of vulnerabilities affecting NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, and the NGINX Ingress Controller, as well as associated App Protect WAF/DoS modules. The advisory, which was updated on June 18, 2026, specifically highlights critical risks associated with modern traffic handling protocols, including HTTP/2, HTTP/3 (QUIC), and gRPC.
This high-priority notification serves as a supplement to F5’s standard quarterly security updates and has been flagged by various national CERTs, signaling a heightened threat landscape for NGINX-based deployments.
Deep Dive: Critical Vulnerabilities and Technical Impact
HTTP/3 Module Flaw (CVE-2026-42530)
The most severe vulnerability identified is CVE-2026-42530, which resides in the ngx_http_v3_module. This flaw is triggered when NGINX is configured to support HTTP/3 via the QUIC protocol.
Technically, a remote, unauthenticated attacker can exploit this by sending malformed HTTP/3 traffic designed to reopen a QPACK encoder stream. This action induces a use-after-free condition within the NGINX worker process. The immediate result is often a repeated crash of the worker processes, leading to a total Denial-of-Service. More critically, in environments where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, this vulnerability may allow for arbitrary code execution.
F5 has assigned this flaw a CVSS v3.1 score of 8.1 and a CVSS v4.0 score of 9.2, placing it firmly in the critical severity category.
HTTP/2 and gRPC Stream Handling (CVE-2026-42055)
A second high-impact vulnerability, CVE-2026-42055, targets environments utilizing the ngx_http_proxy_v2_module or gRPC modules with HTTP/2 backends. When proxy_http_version is set to 2, malicious or malformed HTTP/2/gRPC streams can trigger memory-handling errors. Similar to the HTTP/3 flaw, this can result in process crashes or potential code execution depending on the host system’s security hardening.
This vulnerability also carries a CVSS v4.0 score of 9.2.
NGINX Gateway Fabric Risks (CVE-2026-11311 & CVE-2026-50107)
The NGINX Gateway Fabric is also susceptible to high-severity flaws (detailed in K000161611 and K000161785) affecting various 2.x releases. These vulnerabilities can compromise the integrity and availability of service-mesh architectures by causing routing instability and service disruptions. F5 recommends an immediate upgrade to Gateway Fabric version 2.6.4 to mitigate these risks.
High-Severity CVE Matrix
The following table summarizes the technical metadata for the identified high-severity vulnerabilities:
| CVE / Article | CVSS v3.1 | CVSS v4.0 | Affected Products | Affected Versions | Fixed In |
|---|---|---|---|---|---|
| CVE-2026-42530 (K000161616) |
8.1 | 9.2 | NGINX Open Source | 1.31.0 – 1.31.1 | 1.31.2 |
| NGINX Instance Manager | 2.17.0 – 2.22.0 | No fix yet | |||
| NGINX Gateway Fabric | 2.0.0 – 2.6.3, 1.3.0 – 1.6.2 | 2.6.4 | |||
| NGINX Ingress Controller | 5.0.0 – 5.5.0, 4.0.0 – 4.0.1, 3.5.0 – 3.7.2 | No fix yet | |||
| CVE-2026-42055 (K000161584) |
8.1 | 9.2 | NGINX Plus | 37.0.0 – 37.0.1, R33 – R36 | 37.0.2.1, R36 P6 |
| NGINX Open Source | 1.31.1, 1.30.0 – 1.30.2 | 1.31.2, 1.30.3 | |||
| F5 WAF/DoS/App Protect | Various (See Advisory) | Pending | |||
| CVE-2026-11311 (K000161611) |
8.1 | 8.6 | NGINX Gateway Fabric | 2.5.0 – 2.6.3 | 2.6.4 |
| CVE-2026-50107 (K000161785) |
8.1 | 8.6 | NGINX Gateway Fabric | 2.3.0 – 2.6.3 | 2.6.4 |
Mitigation and Remediation Strategy
Immediate Action: F5 strongly advises upgrading to the following versions immediately:
- NGINX Open Source: 1.31.2
- NGINX Plus: 37.0.2.1 or R36 P6
- NGINX Gateway Fabric: 2.6.4
For Ingress Controller and App Protect components, administrators should monitor for forthcoming patched releases.
Interim Compensating Controls: If immediate patching is not feasible, administrators should implement the following defensive measures:
- Disable HTTP/3 and QUIC support entirely.
- Restrict exposure of HTTP/2 and gRPC endpoints to trusted traffic only.
- Implement strict access control lists (ACLs) to limit the attack surface.
- Ensure system-level protections, such as ASLR, are fully enabled and hardened to mitigate potential exploitation of memory flaws.
Administrators should maintain close contact with F5 via their official RSS feeds and email channels to ensure they receive real-time updates regarding new patches and changing exploitation trends.