Two Critical NGINX Bugs Dropped This Week And Who Is Actually At Risk

Two Critical NGINX CVEs, And A Calmer Read

On June 17, 2026, F5 shipped an out-of-band advisory for NGINX covering two critical vulnerabilities, both scored CVSS 9.2 and both reachable by a remote, unauthenticated attacker. That sounds like a drop-everything moment, and patching is worth doing promptly. But the exploitable surface is narrower than the headline, and for most deployments the realistic worst case is a crash, not remote code execution. Here is the honest triage.

The Two Bugs

CVE-2026-42530 is a use-after-free in the ngx_http_v3_module, the HTTP/3 QUIC module. CVSS v4 is 9.2, and the CVSS v3.1 score is 8.1. A remote attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream and trigger the flaw, but only when NGINX is actually configured to serve HTTP/3. Affected: NGINX Open Source 1.31.0 and 1.31.1. Fixed in 1.31.2.

CVE-2026-42055 is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. CVSS v4 is 9.2. It is reachable only when NGINX proxies HTTP/2 upstream traffic. Affected: NGINX Open Source 1.13.10 through 1.31.1, plus NGINX Plus R33 through R36 and 37.0.0 to 37.0.1. Fixed in NGINX Open Source 1.31.2 and 1.30.3, and NGINX Plus 37.0.2.1 and R36 P6.

RCE Or DoS, Read The Fine Print

Both bugs cause the NGINX worker process to restart, which is a denial of service. Remote code execution is only on the table if Address Space Layout Randomization is disabled, or the attacker can bypass it. On a modern Linux box ASLR is on by default, so for the large majority of servers the realistic impact is a flapping worker, not arbitrary code execution. That is still worth patching, but it is not internet-to-root in a single packet.

Who Is Actually At Risk

For CVE-2026-42530, two things must both be true: you run NGINX 1.31.0 or 1.31.1, and you serve HTTP/3. HTTP/3 is still opt-in and far from universal in production, and most servers on the stable branches (1.24, 1.26, 1.28) are not on the 1.31 mainline at all. If you do not serve HTTP/3, this one does not touch you.

For CVE-2026-42055, the version range is wide, but exploitation needs three conditions at once: you proxy HTTP/2 upstream (using proxy_http_version 2 or grpc_pass), you have set ignore_invalid_headers off (the default is on), and your large_client_header_buffers size is larger than 2 MB (the default is far smaller). All three together is an unusual configuration. If your config does not match the full set, you are not exploitable, though you should still patch.

Check Your Exposure In Two Minutes

1. Version. Run nginx -v. If you are below 1.31.2, or below 1.30.3 on the 1.30 branch, you are in range for at least one of these.
2. HTTP/3. Search your config for http3, quic, or a listen line with quic. Nothing there means CVE-2026-42530 does not apply to you.
3. The proxy combination. Search for grpc_pass, proxy_http_version 2, ignore_invalid_headers off, and any large_client_header_buffers over 2 MB. You need the full combination to be exposed to CVE-2026-42055.

What To Do

1. Patch to a fixed release: NGINX Open Source 1.31.2 or 1.30.3, or NGINX Plus 37.0.2.1 or R36 P6. NGINX Gateway Fabric users should move to 2.6.4, which also resolves two high-severity issues, CVE-2026-11311 and CVE-2026-50107.
2. If you cannot patch right away and you match the preconditions, break them as a stopgap: drop the HTTP/3 quic listeners for CVE-2026-42530, or restore ignore_invalid_headers to on, or lower large_client_header_buffers below 2 MB for CVE-2026-42055.
3. Confirm ASLR is enabled so the worst case stays a crash rather than code execution. On Linux, cat /proc/sys/kernel/randomize_va_space should return 2.
4. Reload NGINX after patching and confirm the version with nginx -v.

The Takeaway

Patch these, but keep the panic proportional. A 9.2 score does not mean every NGINX on the internet is one request from root. These two need specific versions and, in one case, an uncommon configuration, and for most deployments the realistic impact is a worker crash rather than code execution. Triage against your actual version and config, fix on a sensible schedule, and do not let the score alone decide how loudly you react.

Triaging CVEs against real exposure instead of the raw score, and patching a fleet without downtime, is exactly what our security and compliance and server management work covers. For the same calm-triage approach applied to the earlier NGINX flaw, see our note on NGINX Rift.

Sources

The two CVEs, their CVSS v4 9.2 scores, the affected and fixed version ranges, and the exploit preconditions are from F5's out-of-band NGINX advisory of June 17, 2026, the NGINX security advisories page, and the NVD entries for CVE-2026-42530 (CWE-416, CVSS v4 9.2 and CVSS v3.1 8.1) and CVE-2026-42055. Both issues cause a worker-process denial of service by default, with remote code execution contingent on ASLR being disabled or bypassed.