us Technology

F5 Releases Security Updates for NGINX Web Server Vulnerabilities

By the PureSource Newsroom TECHNOLOGY DESK

Published 1 min read

F5 Releases Security Updates for NGINX Web Server Vulnerabilities

F5 issued out-of-band security patches to fix multiple NGINX web server vulnerabilities. Two flaws carry a CVSS score of 9.2 and permit code execution.

F5 released out-of-band security updates to address multiple NGINX web server vulnerabilities. These updates provide fixes for NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.

The updates resolve two critical-severity vulnerabilities, CVE-2026-42530 and CVE-2026-42055, which both received a CVSS score of 9.2. Unauthenticated remote attackers can exploit these critical vulnerabilities to trigger a denial-of-service condition or execute code on NGINX systems that have non-default configurations. Successful exploitation of these vulnerabilities leads to a use-after-free or heap-based buffer overflow within the NGINX worker process, causing a restart.

CVE-2026-42530 specifically affects the ngx_http_v3_module, while CVE-2026-42055 affects the ngx_http_proxy_v2_module and ngx_http_grpc_module. Attackers can execute arbitrary code on systems where Address Space Layout Randomization is disabled or can be bypassed. Administrators can mitigate CVE-2026-42530 by disabling HTTP/3. For CVE-2026-42055, mitigation involves removing the ignore_invalid_headers off directive and reducing the large_client_header_buffers directive size to below 2 megabytes.

F5 also patched two high-severity vulnerabilities in NGINX Gateway Fabric, identified as CVE-2026-11311 and CVE-2026-50107. Authenticated attackers can exploit these to inject arbitrary configuration directives. F5 stated, "Successful exploitation may allow the attacker to expose sensitive data from the NGINX pod filesystem, proxy traffic to attacker-controlled endpoints, or cause a denial-of-service condition by injecting configuration that prevents NGINX from reloading."

Additionally, F5 announced patches for two medium-severity NGINX vulnerabilities. These vulnerabilities could allow remote attackers to disclose memory contents or restart the NGINX worker process. F5 did not report that any of the newly disclosed NGINX vulnerabilities are being actively exploited. F5 is a Fortune 500 technology company that provides cybersecurity and application delivery networking services to over 23,000 customers worldwide. Cybercrime and nation-state threat groups have targeted F5 product vulnerabilities in recent years to breach networks, deploy malware, and steal data.

fact_check Facts

Relevance: primary · Type: event
Confidence100%
F5 released out-of-band security updates to address multiple NGINX web server vulnerabilities.
Relevance: primary · Type: event
Confidence100%
The updates address two critical-severity vulnerabilities, CVE-2026-42530 and CVE-2026-42055, which carry a CVSS score of 9.2.
Relevance: supporting · Type: background
Confidence100%
CVE-2026-42530 affects the ngx_http_v3_module, and CVE-2026-42055 affects the ngx_http_proxy_v2_module and ngx_http_grpc_module.
Relevance: primary · Type: background
Confidence100%
Unauthenticated remote attackers can exploit these vulnerabilities to trigger a denial-of-service condition or execute code on NGINX systems with non-default configurations.
Relevance: primary · Type: background
Confidence100%
Successful exploitation causes a use-after-free or heap-based buffer overflow in the NGINX worker process, leading to a restart.
Relevance: supporting · Type: background
Confidence100%
Attackers can execute arbitrary code on systems where Address Space Layout Randomization is disabled or can be bypassed.
Relevance: primary · Type: event
Confidence100%
F5 released security fixes for NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.
Relevance: supporting · Type: action
Confidence100%
Administrators can mitigate CVE-2026-42530 by disabling HTTP/3, and mitigate CVE-2026-42055 by removing the ignore_invalid_headers off directive and reducing the large_client_header_buffers directive size below 2 megabytes.
Relevance: primary · Type: event
Confidence100%
F5 patched two high-severity vulnerabilities in NGINX Gateway Fabric, CVE-2026-11311 and CVE-2026-50107, which authenticated attackers can exploit to inject arbitrary configuration directives.
F5
Relevance: supporting · Type: quote
Confidence100%
F5 stated, "Successful exploitation may allow the attacker to expose sensitive data from the NGINX pod filesystem, proxy traffic to attacker-controlled endpoints, or cause a denial-of-service condition by injecting configuration that prevents NGINX from reloading."
Relevance: supporting · Type: event
Confidence100%
F5 announced patches for two medium-severity NGINX vulnerabilities that allow remote attackers to disclose memory contents or restart the NGINX worker process.
Relevance: supporting · Type: background
Confidence100%
F5 did not report that any of the newly disclosed NGINX vulnerabilities are being actively exploited.
Relevance: supporting · Type: background
Confidence100%
Cybercrime and nation-state threat groups have targeted F5 product vulnerabilities in recent years to breach networks, deploy malware, and steal data.
Relevance: supporting · Type: background
Confidence100%
F5 is a Fortune 500 technology company that provides cybersecurity and application delivery networking services to over 23,000 customers worldwide.

forum Comments (0)

No comments yet. Be the first to comment.

F5 Releases Security Updates for NGINX Web Server Vulnerabilities

forum Comments (0)

Related Articles