Vulnerability in NGINX Open Source's HTTP/3 Module
CVE-2026-42530

9.2CRITICAL

Key Information:

Vendor: F5
Status: Nginx Open Source
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-42530?

NGINX Open Source contains a significant vulnerability in its HTTP/3 QUIC module. When this module is enabled, an unauthenticated remote attacker might exploit conditions beyond their control to send specially crafted HTTP/3 requests that can reopen a QPACK encoder stream. This situation can lead to a Use-after-Free condition in the NGINX worker process, potentially causing a restart of the service. Additionally, the vulnerability poses a risk of code execution on systems where Address Space Layout Randomization (ASLR) is either disabled or bypassed, highlighting the need for immediate attention from system administrators to mitigate risks.

Affected Version(s)

NGINX Open Source 1.31.0 < 1.31.2

References

https://my.f5.com/manage/s/article/K000161616

vendor-advisory

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 2, 2026

Credit

"F5 acknowledges Trung Nguyen (@everping) of CyStack, Zhenpeng (Leo) Lin (depthfirst), Evan Hellman (@xintenseapple) of Trail of Bits in collaboration with OpenAI, AntAISecurityLab, and Nebula Security (@nebusecurity) for bringing this issue to our attention and following the highest standards of coordinated disclosure."

CVE-2026-42530 Data

JSON