F5 issues patches for two critical NGINX flaws
🛡️ F5 released updates to fix two critical vulnerabilities in NGINX Open Source that can allow remote code execution. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module and CVE-2026-42055 is a heap-based buffer overflow affecting proxy and gRPC modules when specific directives are set. Patches are available across NGINX Open Source, NGINX Plus, Gateway Fabric, Instance Manager, WAF, DoS modules and Ingress Controller versions. Mitigations include disabling HTTP/3 for CVE-2026-42530 and adjusting ignore_invalid_headers or large_client_header_buffers settings for CVE-2026-42055.
