F5 NGINX Vulnerabilities Patched In Critical Security Update ✅

F5 has issued an emergency security advisory addressing several vulnerabilities affecting NGINX products and related components. The flaws could allow attackers to disrupt services, crash applications, or potentially execute malicious code in vulnerable environments.

The notification covers multiple products, including NGINX Open Source, NGINX Plus, NGINX Instance Manager, NGINX Gateway Fabric, NGINX Ingress Controller, and App Protect security modules. According to F5, organizations using affected versions should prioritize updates to reduce exposure to active threats.

Critical Vulnerabilities Impact HTTP/3, HTTP/2, and gRPC Services

Among the most serious issues is CVE-2026-42530, a vulnerability within the NGINX HTTP/3 module. Attackers can exploit specially crafted HTTP/3 requests to trigger memory-related errors, causing worker processes to crash repeatedly. In certain environments, the flaw may also open a path for remote code execution.

Another high-risk vulnerability, CVE-2026-42055, affects deployments that utilize HTTP/2 or gRPC proxying. Malicious traffic can abuse weaknesses in request handling, potentially leading to service interruptions, application crashes, and in some cases, code execution risks.

Key concerns include:

Potential remote code execution on vulnerable systems
Denial-of-service conditions causing service outages
Increased risk for environments using HTTP/3, HTTP/2, and gRPC
Exposure across several NGINX-based products and services

Gateway Fabric Vulnerabilities Add Additional Risk

F5 also highlighted multiple high-severity vulnerabilities impacting NGINX Gateway Fabric deployments. These issues can affect traffic routing reliability, application availability, and overall service stability in cloud-native and gateway environments.

To address the risks, F5 has released updated versions containing security fixes and recommends that customers:

Upgrade affected NGINX products immediately
Review exposed HTTP/2, HTTP/3, and gRPC services
Verify that security patches have been applied successfully
Update Gateway Fabric deployments to the latest supported release

The advisory serves as a reminder that organizations relying on modern web application infrastructure should maintain a proactive patch management strategy, particularly when vulnerabilities affect core traffic-processing components.

CVE / Article	CVSS v3.1	CVSS v4.0	Affected products	Affected versions	Fixed in
CVE-2026-42530 (K000161616)	8.1 (High)	9.2 (Critical)	NGINX Open Source	1.31.0 – 1.31.1	1.31.2
			NGINX Instance Manager	2.17.0 – 2.22.0	None (no fix yet)
			NGINX Gateway Fabric	2.0.0 – 2.6.3, 1.3.0 – 1.6.2	2.6.4
			NGINX Ingress Controller	5.0.0 – 5.5.0, 4.0.0 – 4.0.1, 3.5.0 – 3.7.2	None (no fix yet)
CVE-2026-42055 (K000161584)	8.1 (High)	9.2 (Critical)	NGINX Plus	37.0.0 – 37.0.1, R33 – R36	37.0.2.1, R36 P6
			NGINX Open Source	1.31.1, 1.30.0 – 1.30.2	1.31.2, 1.30.3
			NGINX Instance Manager	2.17.0 – 2.22.0	None
			F5 WAF for NGINX	5.9.0 – 5.13.1	None
			NGINX App Protect WAF	5.2.0 – 5.8.0, 4.10.0 – 4.16.0	None
			F5 DoS for NGINX	4.9.0	None
			NGINX App Protect DoS	4.3.0 – 4.7.0	None
			NGINX Gateway Fabric	2.0.0 – 2.6.3, 1.3.0 – 1.6.2	None
			NGINX Ingress Controller	5.0.0 – 5.5.0, 4.0.0 – 4.0.1, 3.5.0 – 3.7.2	None
CVE-2026-11311 (K000161611)	8.1 (High)	8.6 (High)	NGINX Gateway Fabric	2.5.0 – 2.6.3	2.6.4
CVE-2026-50107 (K000161785)	8.1 (High)	8.6 (High)	NGINX Gateway Fabric	2.3.0 – 2.6.3	2.6.4

Recommended Security Actions

F5 urges customers to update affected NGINX products to the latest secure versions as soon as possible.

For systems that cannot be patched immediately, organizations should disable unnecessary HTTP/3 and QUIC services, limit HTTP/2 and gRPC exposure, strengthen access controls, and enable security hardening measures to reduce the risk of exploitation.