F5 disclosed multiple high-severity vulnerabilities affecting NGINX Open Source, NGINX Plus, and related products, including a critical heap-based buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module tracked as CVE-2026-42055. The flaw can be triggered remotely without authentication when HTTP/2 proxying or grpc_pass is enabled, ignore_invalid_headers is set to off, and large_client_header_buffers exceeds 2 MB, allowing oversized headers to crash worker processes and potentially enable code execution if ASLR is bypassed. F5 also disclosed CVE-2026-42530, a critical use-after-free in the open-source ngx_http_v3_module that can be exploited through a crafted HTTP/3 QUIC session to reopen a QPACK encoder stream, again causing worker restarts and possible code execution.
A separate issue, CVE-2026-11311, affects NGINX Gateway Fabric when NGINX Plus is used as the data plane, allowing authenticated users with permission to modify relevant CRDs to inject arbitrary NGINX directives through unsanitized values in NginxProxy.serverTokens and AuthenticationFilter.extraAuthArgs. F5's out-of-band advisory said the exposure spans a broad set of products, including NGINX Ingress Controller, NGINX Instance Manager, NGINX App Protect WAF, NGINX App Protect DoS, F5 WAF for NGINX Instance Manager, and F5 DoS for NGINX. Updated releases, including nginx 1.31.2 and the stable branch 1.30.3, were published to address the core NGINX flaws, and defenders were urged to patch affected versions or disable HTTP/3 QUIC where immediate updates are not possible.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
F5 fixed the NGINX Gateway Fabric vulnerabilities CVE-2026-11311 and CVE-2026-50107 in version 2.6.4. The update addresses high-severity configuration injection issues affecting deployments using NGINX Plus or NGINX Open Source as the data plane.
A high-severity injection vulnerability, CVE-2026-50107, was published for NGINX Gateway Fabric affecting deployments that use NGINX Plus or NGINX Open Source as the data plane. The flaw in the configuration generator lets an authenticated attacker who can modify NginxProxy CRDs inject arbitrary NGINX directives through unsanitized access log format values.
F5 published an out-of-band security advisory covering vulnerabilities across multiple F5 and NGINX products, including NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, NGINX Ingress Controller, and several App Protect and WAF offerings. The Canadian Centre for Cyber Security relayed the notice and urged administrators to review the advisory and apply updates.
A high-severity injection vulnerability, CVE-2026-11311, was published for NGINX Gateway Fabric when NGINX Plus is used as the data plane. The issue lets an authenticated attacker with permission to modify certain CRDs inject arbitrary NGINX configuration directives through unsanitized user-supplied values.
A critical vulnerability, CVE-2026-42530, was published affecting the NGINX Open Source ngx_http_v3_module when HTTP/3 QUIC is enabled. A specially crafted HTTP/3 session can reopen a QPACK encoder stream and trigger a use-after-free in the worker process, potentially causing restarts and possible code execution.
A critical vulnerability, CVE-2026-42055, was published affecting NGINX Plus and NGINX Open Source when HTTP/2 proxying or grpc_pass is used with ignore_invalid_headers set to off and large_client_header_buffers above 2 MB. The flaw allows a remote unauthenticated attacker to trigger a heap-based buffer overflow that can restart worker processes and may enable code execution under certain conditions.
The nginx project released nginx 1.31.2 and the stable branch update nginx 1.30.3 to address several security issues, including CVE-2026-42530 and CVE-2026-42055. The release also fixed CVE-2026-48142 and introduced unrelated functional changes such as a new $ssl_sigalgs variable and SipHash-2-4 for $request_id generation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
20 references tracked. Mallory keeps watching after this page renders.
hkcert.org
Open sourcesocprime.com
Open sourcethecybersecguru.com
Open sourcesecurityonline.info
Open sourcemy.f5.com
Open sourcecve.org
Open sourcecvefeed.io
Open sourceopennet.ru
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.