CVE-2026-42530
published 2026-06-17CVE-2026-42530: NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote…
PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
3.30%
87.0th percentile
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| f5 | nginx_open_source | >= 1.31.0 < 1.31.2 | 1.31.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: NGINX must be configured to use the HTTP/3 QUIC module (quic present in listen directives). Detect exploitation attempts by monitoring for anomalous QPACK encoder stream reopening within HTTP/3 sessions on QUIC-enabled NGINX instances. ↗
- →Monitor NGINX worker process for unexpected restarts, which is the observable crash symptom of successful Use-after-Free exploitation via this CVE. ↗
- →Code execution risk is elevated on systems where ASLR is disabled. Prioritize detection and patching on any NGINX host where ASLR is not enforced (e.g., kernel.randomize_va_space != 2). ↗
- →Mitigation/detection pivot: Audit NGINX configurations for the presence of 'quic' in listen directives. Any instance with HTTP/3 QUIC enabled and running a vulnerable version (NGINX Open Source 1.30.0–1.30.2 or 1.31.0–1.31.1; NGINX Plus R33–R36 or 37.0.0–37.0.1) is an active attack surface. ↗
- →Red Hat notes that SELinux enforcement, ASLR, and NX stack protection significantly increase exploitation difficulty. Verify these OS-level mitigations are active on NGINX hosts as a compensating control. ↗
- ·Vulnerability is only exploitable when NGINX is explicitly configured to use the HTTP/3 QUIC module. Default NGINX configurations are NOT affected. ↗
- ·Exploitation also requires conditions beyond the attacker's full control (race/state conditions), making reliable exploitation harder but not impossible. ↗
- ·Software versions that have reached End of Technical Support (EoTS) are not evaluated for this CVE by F5. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
F5
CVE-2026-42530: NGINX Open Source has a vulnerability in the ngx_http_v3_module module
vendor_f5·2026-06-17·CVSS 8.1
CVE-2026-42530 [HIGH] CWE-416 CVE-2026-42530: NGINX Open Source has a vulnerability in the ngx_http_v3_module module
CVE-2026-42530: NGINX Open Source has a vulnerability in the ngx_http_v3_module module
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
F5 Advisory Articles: K000161616
F5 References: https://my.f5.com/manage/s/article/K000161616
Red Hat
nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
vendor_redhat·2026-06-17·CVSS 8.1
CVE-2026-42530 [HIGH] CWE-416 nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
A flaw was found in the ngx_http_v3_module module of NGINX. When NGINX is configured to use the HTTP/3 QUIC
CVEList
NGINX Open-Source ngx_http_v3_module vulnerability
cvelistv5·2026-06-17·CVSS 8.1
CVE-2026-42530 [HIGH] CWE-416 NGINX Open-Source ngx_http_v3_module vulnerability
NGINX Open-Source ngx_http_v3_module vulnerability
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
GHSA
NGINX Open Source has a vulnerability in the ngx_http_v3_module module.
ghsa_unreviewed·2026-06-17
CVE-2026-42530 [CRITICAL] CWE-416 NGINX Open Source has a vulnerability in the ngx_http_v3_module module.
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
VulDB
F5 NGINX Open Source up to 1.31.1 QUIC use after free (K000161616)
vuldb·2026-06-17
CVE-2026-42530 [CRITICAL] F5 NGINX Open Source up to 1.31.1 QUIC use after free (K000161616)
A vulnerability has been found in F5 NGINX Open Source up to 1.31.1 and classified as critical. Impacted is an unknown function of the component QUIC Module. This manipulation causes use after free.
This vulnerability is registered as CVE-2026-42530. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
Hackernews
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
blogs_hackernews·2026-06-18
CVE-2026-42530 F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.
The vulnerabilities are listed below -
CVE-2026-42530 (CVSS v4 score: 9.2) - A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP/3 session, and execute code on systems with Address Spac
Bleepingcomputer
F5 issues out-of-band patches for critical NGINX vulnerabilities
blogs_bleepingcomputer·2026-06-18
CVE-2026-42530 F5 issues out-of-band patches for critical NGINX vulnerabilities
## F5 issues out-of-band patches for critical NGINX vulnerabilities
## Sergiu Gatlan
Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow attackers to execute code on vulnerable systems.
The two critical vulnerabilities were found in the ngx_http_v3_module ( CVE-2026-42530 ) and the ngx_http_proxy_v2_module and ngx_http_grpc_module ( CVE-2026-42055 ), and can be exploited by unauthenticated remote attackers to trigger a denial-of-service (DoS) attack or code execution on NGINX systems with non-default configurations.
Successful exploitation causes a use-after-free or heap-based buffer overflow in the NGINX worker process, leading to a restart. In both cases, they c
Bugzilla
CVE-2026-42530 nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
bugzilla·2026-06-17
CVE-2026-42530 [HIGH] CVE-2026-42530 nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
CVE-2026-42530 nginx: ngx_http_v3_module: use-after-free issue leads to denial of service
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
2026-06-17
Published