cbcvebase.
CVE-2026-42530
published 2026-06-17

CVE-2026-42530: NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote…

PriorityP261high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
3.30%
87.0th percentile
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected

1 ranges
VendorProductVersion rangeFixed in
f5nginx_open_source>= 1.31.0 < 1.31.21.31.2

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: NGINX must be configured to use the HTTP/3 QUIC module (quic present in listen directives). Detect exploitation attempts by monitoring for anomalous QPACK encoder stream reopening within HTTP/3 sessions on QUIC-enabled NGINX instances.
  • Monitor NGINX worker process for unexpected restarts, which is the observable crash symptom of successful Use-after-Free exploitation via this CVE.
  • Code execution risk is elevated on systems where ASLR is disabled. Prioritize detection and patching on any NGINX host where ASLR is not enforced (e.g., kernel.randomize_va_space != 2).
  • Mitigation/detection pivot: Audit NGINX configurations for the presence of 'quic' in listen directives. Any instance with HTTP/3 QUIC enabled and running a vulnerable version (NGINX Open Source 1.30.0–1.30.2 or 1.31.0–1.31.1; NGINX Plus R33–R36 or 37.0.0–37.0.1) is an active attack surface.
  • Red Hat notes that SELinux enforcement, ASLR, and NX stack protection significantly increase exploitation difficulty. Verify these OS-level mitigations are active on NGINX hosts as a compensating control.
  • ·Vulnerability is only exploitable when NGINX is explicitly configured to use the HTTP/3 QUIC module. Default NGINX configurations are NOT affected.
  • ·Exploitation also requires conditions beyond the attacker's full control (race/state conditions), making reliable exploitation harder but not impossible.
  • ·Software versions that have reached End of Technical Support (EoTS) are not evaluated for this CVE by F5.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.