Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems.
The two critical vulnerabilities were found in the ngx_http_v3_module (
CVE-2026-42530) and the ngx_http_proxy_v2_module and ngx_http_grpc_module ( CVE-2026-42055), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations.
Successful exploitation causes a use-after-free or heap-based buffer overflow in the NGINX worker process, leading to a restart. In both cases, they can also "execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR."
F5 has released security fixes for multiple NGINX software products affected by these two vulnerabilities, including NGINX Plus and NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.
Admins who can't immediately install the security updates can mitigate CVE-2026-42530 by disabling HTTP/3 (removing quic from all listen directives) and CVE-2026-42055 by removing the ignore_invalid_headers off directive from the configuration and reducing the large_client_header_buffers directive size below 2 megabytes.
The company also addressed two high-severity NGINX Gateway Fabric security flaws, tracked as
CVE-2026-11311 and CVE-2026-50107, that can be exploited by authenticated attackers to inject arbitrary NGINX configuration directives.
While F5 didn't flag any of these security issues as exploited in attacks, F5 vulnerabilities have often been exploited by both cybercrime and nation-state threat groups in recent years.
For instance, hackers have targeted security flaws in F5 products to
breach corporate networks, deploy data-wiping malware, map internal servers, hijack devices, and steal sensitive documents from victims worldwide.
F5 also
disclosed in October that state-backed attackers breached its systems in August 2025 and stole undisclosed BIG-IP security vulnerabilities and source code.
Over the past several years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged
seven F5 vulnerabilities as actively exploited, with four of them targeted in ransomware attacks.
F5 is a Fortune 500 technology company that provides cybersecurity, application delivery networking (ADN), and various other services to over 23,000 customers worldwide, including 48 of the Fortune 50 companies and 80% of the Fortune Global 500.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
