NGINX CVE-2026-42530 and CVE-2026-42055: Patch Critical RCE Bugs

F5 and the NGINX project have released security updates for two newly disclosed NGINX vulnerabilities, CVE-2026-42530 and CVE-2026-42055, that deserve fast review on internet-facing web and ingress infrastructure. Both issues can be reached remotely without authentication, both can restart NGINX worker processes, and F5 says code execution is possible on systems where Address Space Layout Randomization is disabled or can be bypassed.^[1][2][3]

This is not the same issue as the recently exploited NGINX CVE-2026-42945 Rewrite Module flaw. The new advisory set matters because it touches common edge patterns: HTTP/3, HTTP/2 proxying, gRPC upstreams, NGINX Plus, and Kubernetes-facing NGINX Gateway Fabric deployments. Even when the exploit path depends on non-default conditions, these are exactly the kinds of configuration details that drift across load balancers, reverse proxies, and ingress controllers.

What administrators should check first

CVE-2026-42530 is a use-after-free issue in the ngx_http_v3_module. It affects NGINX Open Source 1.31.0 through 1.31.1 when HTTP/3 QUIC support is in use. NGINX lists version 1.31.2 and later as not vulnerable.^[1] F5 describes the trigger as a specially crafted HTTP/3 session that reopens a QPACK encoder stream, which may crash the worker process and can become code execution under weaker memory-hardening assumptions.^[2]

CVE-2026-42055 is a heap-based buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module. The vulnerable condition is narrower than the headline suggests, but it is practical enough to audit: NGINX is at risk when it proxies HTTP/2 traffic with proxy_http_version 2 or uses grpc_pass, has ignore_invalid_headers off, and sets large_client_header_buffers above 2 MB. NGINX lists 1.31.2 and 1.30.3 as fixed branches for open source builds, while F5 also documents NGINX Plus fixes in 37.0.2.1 and R36 P6.^[1][3]

The first response step is simple: identify exposed NGINX systems running the affected branches and upgrade to NGINX Open Source 1.31.2 or 1.30.3, or the corresponding NGINX Plus and platform releases. Teams using NGINX Gateway Fabric, NGINX Ingress Controller, NGINX Instance Manager, App Protect WAF, or App Protect DoS should not stop at the base web-server package; F5’s advisory coverage includes those product lines through bundled or dependent NGINX components.^[4]

If immediate patching is blocked, reduce exposure while the change is scheduled. For CVE-2026-42530, disable HTTP/3 where it is not required. For CVE-2026-42055, remove ignore_invalid_headers off or bring large_client_header_buffers below the 2 MB threshold when that is compatible with the application. These mitigations should be treated as temporary risk reduction, not as a reason to skip fixed builds.

Operationally, prioritize public reverse proxies, ingress nodes, CDN-adjacent gateways, and environments that recently enabled HTTP/3 or gRPC support. Review worker restarts, unusual client-header errors, QUIC/HTTP/3 traffic spikes, and upstream HTTP/2 or gRPC routes that accept traffic from the internet. There is no public confirmation of active exploitation in the advisories reviewed for this article, but recent NGINX and edge-device incidents show why defenders should avoid letting exposed proxy flaws sit open for days.^[5] Similar patch-priority logic applied to recent exploited infrastructure stories such as Splunk Enterprise CVE-2026-20253 and FortiSandbox RCE bugs.

Bottom line: this is a configuration-sensitive NGINX update, not a blanket “every server is instantly exploitable” warning. Still, affected NGINX versions sit on high-value perimeter paths. Patch fixed builds first, then clean up risky HTTP/3, HTTP/2, and gRPC settings so the same class of worker-process memory bugs has less room to become an incident.