F5 patches NGINX vulnerabilities that can cause crashes and possible code execution

F5 has issued an out-of-band security notification for multiple NGINX vulnerabilities affecting NGINX Open Source, NGINX Plus, and related Kubernetes products. The most urgent fixes address memory-safety flaws that can crash NGINX worker processes and, in one case, may allow code execution under specific conditions.

The F5 advisory was published on June 17, 2026, and covers several CVEs across core NGINX modules and NGINX Gateway Fabric. Administrators running internet-facing NGINX systems should review exposure and apply the fixed releases quickly.

The NGINX security advisories page lists three newly patched core NGINX issues: CVE-2026-42530 in HTTP/3, CVE-2026-42055 in proxy and gRPC handling, and CVE-2026-48142 in charset processing.

What F5 fixed in the NGINX update

The June 17 update includes fixes in NGINX 1.30.3 stable and NGINX 1.31.2 mainline. According to the NGINX news page, those releases fix CVE-2026-42055 and CVE-2026-48142, while NGINX 1.31.2 also fixes CVE-2026-42530.

CVE-2026-42530 affects NGINX Open Source when the HTTP/3 QUIC module is enabled. CVE-2026-42055 affects NGINX Open Source and NGINX Plus in configurations that proxy HTTP/2 or gRPC traffic under specific settings.

CVE-2026-48142 is less severe, but still important. It can cause limited memory disclosure or a worker process restart when certain charset directives are configured.

CVE	Affected area	Main risk	Fixed version
CVE-2026-42530	ngx_http_v3_module	Use-after-free, worker restart, denial of service	NGINX Open Source 1.31.2
CVE-2026-42055	ngx_http_proxy_v2_module and ngx_http_grpc_module	Heap buffer overflow, denial of service, possible code execution in limited conditions	NGINX Open Source 1.30.3 and 1.31.2, plus fixed NGINX Plus builds listed by F5
CVE-2026-48142	ngx_http_charset_module	Limited memory disclosure or worker restart	NGINX Open Source 1.30.3 and 1.31.2, plus fixed NGINX Plus builds listed by F5

CVE-2026-42530 affects HTTP/3 deployments

The NVD entry for CVE-2026-42530 says the flaw affects NGINX Open Source deployments configured to use the HTTP/3 QUIC module. An unauthenticated remote attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.

That behavior can trigger a use-after-free condition in the NGINX worker process. The most clearly described impact is a worker restart, which can degrade service availability.

The NGINX project lists NGINX Open Source 1.31.0 and 1.31.1 as vulnerable, while 1.31.2 and later are not vulnerable.

CVE-2026-42055 carries the main code-execution warning

The F5 advisory for CVE-2026-42055 says the issue affects the ngx_http_proxy_v2_module and ngx_http_grpc_module. The flaw can be reached when NGINX proxies HTTP/2 traffic through specific proxy or gRPC configurations.

The bug can cause a heap-based buffer overflow in an NGINX worker process. F5 and CVE records note that the flaw can lead to a restart, and code execution is possible on systems where ASLR is disabled or when an attacker can bypass ASLR.

This distinction matters. Administrators should treat the flaw seriously, but they should not describe every affected deployment as automatically exposed to reliable remote code execution.

• The attacker must reach the vulnerable NGINX data plane.
• The affected configuration must proxy HTTP/2 or gRPC traffic in a vulnerable way.
• A denial-of-service outcome is the more direct risk.
• Code execution depends on additional system conditions.

CVE-2026-48142 can expose limited memory

The NVD entry for CVE-2026-48142 says the flaw affects NGINX Plus and NGINX Open Source when content is served or proxied through a location block configured with source_charset utf-8 and another charset directive.

A remote unauthenticated attacker can send requests that may cause a heap buffer over-read in the NGINX worker process. The result can be limited memory disclosure or a worker restart.

Although this issue has a lower severity than the HTTP/3 and proxy-related flaws, organizations should patch it in the same maintenance window because the fixed NGINX releases address all three core issues.

NGINX Gateway Fabric also received fixes

F5 also disclosed vulnerabilities in NGINX Gateway Fabric, including CVE-2026-11311 and CVE-2026-50107. These flaws involve injection issues in the NGINX configuration generator used by Gateway Fabric.

According to the NVD entry for CVE-2026-50107, user-supplied values from the NginxProxy custom resource access log format setting are rendered into NGINX configuration templates without proper sanitization or escaping.

These issues matter most in Kubernetes environments where users or automation systems can create or modify Gateway Fabric resources. The exposure depends on RBAC permissions and how Gateway Fabric is deployed.

Product area	Issue type	Primary concern
NGINX Open Source HTTP/3	Use-after-free	Worker restart or denial of service
NGINX proxy and gRPC modules	Heap buffer overflow	Worker restart and possible code execution in limited conditions
NGINX charset module	Heap buffer over-read	Limited memory disclosure or worker restart
NGINX Gateway Fabric	Configuration injection	Unexpected or unsafe NGINX configuration generation

Who should patch first?

Internet-facing NGINX systems should receive the highest priority, especially if they use HTTP/3, proxy HTTP/2 traffic upstream, expose gRPC services, or run as part of a Kubernetes gateway layer.

The Singapore Cyber Security Agency also warned that attackers could exploit high-severity NGINX vulnerabilities to cause worker process crashes and, under certain conditions, achieve remote code execution.

Organizations should patch production systems quickly, but they should also test configuration compatibility. NGINX updates can affect gateway behavior, reverse proxy routing, HTTP/3 support, gRPC handling, and Kubernetes ingress or gateway traffic.

• Update NGINX Open Source stable deployments to 1.30.3 or later.
• Update NGINX Open Source mainline deployments to 1.31.2 or later.
• Apply the fixed NGINX Plus builds listed in F5 guidance.
• Update NGINX Gateway Fabric to a fixed release where applicable.
• Restart NGINX workers after patching and confirm the running binary version.
• Review whether HTTP/3, gRPC, proxy HTTP/2, or charset directives are enabled.

Temporary mitigations where patching is delayed

Patching is the preferred fix. Where teams cannot upgrade immediately, they should reduce exposure by disabling unused vulnerable features and restricting access to affected services.

For CVE-2026-42530, administrators should review whether HTTP/3 and QUIC are enabled. The CVE-2026-42530 description ties exploitation to the HTTP/3 QUIC module, so disabling unused HTTP/3 support can reduce immediate risk while upgrades are prepared.

For CVE-2026-42055, administrators should identify configurations using proxy_http_version 2 or grpc_pass with risky header-handling settings. The F5 CVE-2026-42055 advisory should guide the final configuration review.

Area to review	Why it matters
HTTP/3 and QUIC	Relevant to CVE-2026-42530
proxy_http_version 2	Relevant to CVE-2026-42055
grpc_pass	Relevant to CVE-2026-42055
source_charset and charset directives	Relevant to CVE-2026-48142
NginxProxy CRD permissions	Relevant to Gateway Fabric injection issues

What defenders should monitor

Security teams should look for unexplained NGINX worker restarts, HTTP/3 anomalies, unusual QUIC traffic, malformed large headers, abnormal gRPC requests, and unexpected changes in Gateway Fabric generated configuration.

The CVE-2026-48142 record also shows why logs alone may not be enough. A memory disclosure or restart condition may appear as instability unless teams correlate it with incoming requests and configuration paths.

For Kubernetes environments, administrators should review RBAC permissions for users or services that can change NGINX Gateway Fabric custom resources. The CVE-2026-50107 record points to user-supplied CRD values, so resource-write permissions are part of the attack surface.

Why this update matters

NGINX often sits at the front of production infrastructure. It handles web traffic, reverse proxy routing, API traffic, gRPC services, TLS termination, and Kubernetes gateway workloads.

The NGINX advisory list marks CVE-2026-42530 as a major HTTP/3 issue, while the June release also addresses proxy, gRPC, and charset issues. Even when each bug has configuration requirements, widespread NGINX use gives attackers many possible targets.

The NGINX release announcement confirms that both stable and mainline branches received fixes on June 17, 2026. That gives administrators a clear patch path for most Open Source deployments.

Bottom line

F5’s out-of-band NGINX notification deserves prompt action, especially for organizations running internet-facing NGINX, HTTP/3, gRPC, proxy HTTP/2, or NGINX Gateway Fabric. The update fixes issues that can cause worker crashes and, in one case, possible code execution under specific system conditions.

The F5 overview should be used as the starting point for product-specific guidance, because NGINX Open Source, NGINX Plus, and NGINX-related products do not all share the same fixed version path.

The CSA alert gives the practical takeaway: patch immediately where possible, and reduce exposure on systems that cannot be updated right away.

FAQ