Breaking
Live threat feed July 4, 2026 | 11:33 UTC
850 CVEs This Month
1 Actively Exploited
0 Ransomware Activity
28 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Vulnerabilities

F5 Releases Patches for Two Critical Remote Code Execution Flaws in NGINX Open Source

F5 Releases Patches for Two Critical Remote Code Execution Flaws in NGINX Open Source

F5 has released security updates for NGINX Open Source to fix two critical vulnerabilities that could allow remote code execution. One flaw is a use-after-free bug in the HTTP/3 module exploitable by unauthenticated attackers, underscoring the importance of prompt patching.

What happened

F5 disclosed and patched two critical security vulnerabilities in NGINX Open Source. One identified flaw, tracked as CVE-2026-42530 and rated 9.2 on the CVSS v4 scale, is a use-after-free vulnerability located in the ngx_http_v3_module. This flaw allows remote, unauthenticated attackers to trigger exploitation. The other vulnerability details were not fully specified in the source material. F5’s release includes security updates to mitigate these risks by addressing the identified flaws.

Why it matters

NGINX Open Source is widely deployed as a high-performance web server and reverse proxy. Critical vulnerabilities allowing remote code execution pose serious risks to organizations using affected versions. Attackers exploiting such vulnerabilities can gain unauthorized access and control over servers, potentially leading to significant operational and security impacts. The use-after-free issue in the HTTP/3 module is particularly concerning given the growing adoption of HTTP/3 protocols.

What security teams should do

Security teams using NGINX Open Source should promptly apply the security patches released by F5 to remediate these critical vulnerabilities. Reviewing exposure of systems running the affected HTTP/3 module is advisable to identify potentially vulnerable infrastructure. Monitoring for unusual activity and signs of exploitation related to remote code execution attempts can also improve defensive posture. Following vendor guidance for configuration and patch management remains critical to minimizing risk.

Key technical details

CVE-2026-42530 is a use-after-free vulnerability in the ngx_http_v3_module of NGINX Open Source. This module handles HTTP/3 traffic, and the flaw can be triggered remotely by attackers without authentication, leading to potential remote code execution on the affected server. The vulnerability carries a CVSS v4 score of 9.2 out of 10, indicating high severity. While the source references a second critical flaw, details are not explicitly provided in the source text. The vulnerabilities were addressed in the latest security update released by F5.

Affected organizations/products

The vulnerabilities affect deployments of NGINX Open Source utilizing the ngx_http_v3_module, which handles HTTP/3 traffic. Organizations running this module in production environments are at risk if unpatched. The source does not specify affected versions or broader scope beyond the HTTP/3 module in NGINX Open Source.

Source attribution

https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!