Skip to main content

NGINX Open Source CVE-2026-42530

HIGH
Use After Free (CWE-416)
2026-06-17 f5
Nginx Use After Free Memory Corruption Authentication Bypass Nginx Open Source
8.1
CVSS 3.1 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Network-reachable QUIC with no auth or UI; AC:H because triggering depends on conditions outside attacker control; A:H for reliable worker crash, C/I lowered to L because RCE requires ASLR-disabled hosts.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 15:30 vuln.today
CVE Published
Jun 17, 2026 - 14:04 cve.org
HIGH 8.1

DescriptionCVE.org

NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Articles & Coverage 1

News 4 New Nginx Vulnerabilities - 1 Critical, 3 High Severity Jun 17, 2026

AnalysisAI

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker processes by sending a crafted HTTP/3 session that reopens a QPACK encoder stream, with potential remote code execution on hosts where ASLR is disabled or bypassed. The flaw only manifests when HTTP/3 QUIC is explicitly enabled, and F5 notes that successful triggering also depends on conditions outside the attacker's control, which is reflected in the CVSS AC:H rating. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP/3-enabled NGINX endpoint
Delivery
Establish QUIC/HTTP/3 session
Exploit
Send crafted QPACK encoder-stream reopen
Execution
Trigger use-after-free in worker
Impact
Crash worker (DoS) or pivot to code execution if ASLR absent
Sign in to reveal

Vulnerability AssessmentAI

Exploitation NGINX Open Source must be built with and actively serving HTTP/3 via the ngx_http_v3_module - i.e., at least one `listen` directive uses the `quic` parameter and the QUIC port is reachable from the attacker; deployments running only HTTP/1.1 or HTTP/2 are not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.1 score with AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H reflects a network-reachable, unauthenticated bug whose impact ceiling is RCE, but the High attack complexity and the vendor's own caveat about 'conditions beyond [the attacker's] control' indicate the full RCE outcome is not reliably reproducible - the dependable outcome is a worker restart (DoS). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the public internet opens a QUIC/HTTP/3 connection to an NGINX server with HTTP/3 enabled, completes the handshake, and sends a crafted sequence that opens, closes, and re-opens the QPACK encoder stream to drive the worker into the use-after-free. In the common case this crashes and restarts the NGINX worker, producing intermittent DoS for HTTP/3 clients; against a target with ASLR disabled or with an ancillary info leak, the same primitive could be developed into worker-context code execution. …
Remediation Patch available per vendor advisory - consult F5 article K000161616 at https://my.f5.com/manage/s/article/K000161616 for the exact fixed NGINX Open Source versions and upgrade to a release on or after the listed fix; the input data does not contain a specific fixed version string to quote here. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all NGINX instances with HTTP/3 QUIC explicitly enabled; establish alerting for worker process crashes and unusual termination patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-42055 HIGH
8.1 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects the ngx_http_proxy_v2_module and ngx_http_grpc_mo
CVE-2026-48142 MEDIUM
4.8 Jun 17

Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memor

Share

CVE-2026-42530 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy