F5 has released an out-of-band security notification addressing multiple high‑severity vulnerabilities in NGINX components that can enable remote code execution (RCE) and denial‑of‑service (DoS) attacks in certain configurations, urging customers to patch or upgrade affected deployments immediately.
On June 17, 2026, F5 issued an out-of-band security notification (K000161614) summarizing several high- and medium-severity flaws across NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and associated App Protect WAF/DoS modules.
The advisory, updated on June 18, 2026, highlights the elevated risk to HTTP/2, HTTP/3, and gRPC traffic handling paths and provides customers with a consolidated view of impacted products, versions, and fixed releases.
This notification supplements F5’s regular Quarterly Security Notifications and is being echoed by national CERTs, underscoring its urgency.
Critical NGINX HTTP/3 v3 Module Flaw (CVE-2026-42530)
The most prominent issue, tracked as CVE-2026-42530 and detailed in F5 article K000161616, affects the NGINX ngx_http_v3_module when NGINX is configured to use the HTTP/3 QUIC module.
A remote, unauthenticated attacker can send specially crafted HTTP/3 traffic to reopen a QPACK encoder stream, triggering a use-after-free in the NGINX worker process that can repeatedly crash workers, causing DoS, and potentially allowing code execution on systems where ASLR is disabled or can be bypassed.
F5 assigns this bug a CVSS v3.1 base score of 8.1 and a CVSS v4.0 base score of 9.2, reflecting its high-to-critical impact profile on modern deployments.
A second high-severity issue, CVE-2026-42055 (K000161584), targets NGINX Plus and NGINX Open Source when using the ngx_http_proxy_v2_module or gRPC module with HTTP/2 backends.
When proxy_http_version is set to 2 or gRPC upstreams are enabled, malformed or malicious HTTP/2 or gRPC streams can lead to memory-handling flaws that may manifest as crashes and possibly code execution, depending on the environment’s hardening.
This flaw is also rated at 8.1 (CVSS v3.1) and 9.2 (CVSS v4.0), aligning it with the HTTP/3 vulnerability in terms of severity from F5’s perspective.
F5 additionally discloses multiple high-severity vulnerabilities in NGINX Gateway Fabric, including CVE-2026-11311 and CVE-2026-50107, described in K000161611 and K000161785, respectively.
These issues affect various 2.x Gateway Fabric releases. They can result in routing instability, service disruptions, or other impacts on integrity and availability within service-mesh and gateway deployments. F5 introduces fixes in Gateway Fabric 2.6.4, which is now the recommended target version for affected customers.
High CVE Matrix
Below is a consolidated table of the high‑severity CVEs and their core technical metadata as provided by F5, focusing on CVSS scores, affected products, versions, and fixes.
| CVE / Article | CVSS v3.1 | CVSS v4.0 | Affected products | Affected versions | Fixed in |
|---|---|---|---|---|---|
| CVE-2026-42530 (K000161616) | 8.1 (High) | 9.2 (Critical) | NGINX Open Source | 1.31.0 – 1.31.1 | 1.31.2 |
| NGINX Instance Manager | 2.17.0 – 2.22.0 | None (no fix yet) | |||
| NGINX Gateway Fabric | 2.0.0 – 2.6.3, 1.3.0 – 1.6.2 | 2.6.4 | |||
| NGINX Ingress Controller | 5.0.0 – 5.5.0, 4.0.0 – 4.0.1, 3.5.0 – 3.7.2 | None (no fix yet) | |||
| CVE-2026-42055 (K000161584) | 8.1 (High) | 9.2 (Critical) | NGINX Plus | 37.0.0 – 37.0.1, R33 – R36 | 37.0.2.1, R36 P6 |
| NGINX Open Source | 1.31.1, 1.30.0 – 1.30.2 | 1.31.2, 1.30.3 | |||
| NGINX Instance Manager | 2.17.0 – 2.22.0 | None | |||
| F5 WAF for NGINX | 5.9.0 – 5.13.1 | None | |||
| NGINX App Protect WAF | 5.2.0 – 5.8.0, 4.10.0 – 4.16.0 | None | |||
| F5 DoS for NGINX | 4.9.0 | None | |||
| NGINX App Protect DoS | 4.3.0 – 4.7.0 | None | |||
| NGINX Gateway Fabric | 2.0.0 – 2.6.3, 1.3.0 – 1.6.2 | None | |||
| NGINX Ingress Controller | 5.0.0 – 5.5.0, 4.0.0 – 4.0.1, 3.5.0 – 3.7.2 | None | |||
| CVE-2026-11311 (K000161611) | 8.1 (High) | 8.6 (High) | NGINX Gateway Fabric | 2.5.0 – 2.6.3 | 2.6.4 |
| CVE-2026-50107 (K000161785) | 8.1 (High) | 8.6 (High) | NGINX Gateway Fabric | 2.3.0 – 2.6.3 | 2.6.4 |
F5 strongly recommends upgrading NGINX Open Source to 1.31.2, NGINX Plus to 37.0.2.1 or R36 P6, NGINX Gateway Fabric to 2.6.4, and aligning Ingress Controller and App Protect components with forthcoming patched releases as they become available.
Organizations unable to patch immediately should consider turning off HTTP/3 and QUIC support, restricting HTTP/2 and gRPC exposure, enforcing strict access controls, and hardening ASLR and other exploitation mitigations as interim measures.
Administrators are further advised to monitor F5’s quarterly security notifications and vendor RSS/email channels to track future updates and any changes in exploitation status.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
