Overview
- F5 released out-of-band security updates on Thursday to fix multiple NGINX defects, including two critical flaws tracked as CVE-2026-42530 and CVE-2026-42055.
- The two critical bugs affect HTTP modules and can be triggered without authentication to cause use-after-free or heap-overflow errors that restart NGINX worker processes and may allow code execution when Address Space Layout Randomization (ASLR) is disabled or bypassed.
- F5 supplied patched versions for NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager, and also fixed two high-severity Gateway Fabric issues that permit authenticated attackers to inject NGINX configuration directives.
- For operators who cannot immediately patch, F5 published configuration mitigations such as disabling HTTP/3, removing the ignore_invalid_headers off setting, and reducing large_client_header_buffers below 2 megabytes to lower short-term risk.
- There are no confirmed reports of these CVEs being exploited in the wild, but agencies and vendors warn rapid patching is urgent because F5 products power large parts of enterprise infrastructure and have been targeted and flagged in prior attacks.