Cybersecurity giant **F5** has issued urgent out-of-band security updates to patch several vulnerabilities in its widely used **NGINX** web server. Among these are two critical-severity flaws that could enable unauthenticated remote attackers to execute arbitrary code on vulnerable systems. ### Critical Vulnerabilities Detailed The two most severe vulnerabilities are: * **CVE-2026-42530**: Found in the `ngx_http_v3_module`. * **CVE-2026-42055**: Affecting the `ngx_http_proxy_v2_module` and `ngx_http_grpc_module`. Both vulnerabilities can be exploited to trigger a denial-of-service (DoS) attack or, more critically, achieve code execution on **NGINX** systems configured with non-default settings. Successful exploitation can lead to a use-after-free or heap-based buffer overflow in the **NGINX** worker process, causing it to restart. In scenarios where Address Space Layout Randomization (ASLR) is disabled, or if an attacker can bypass ASLR, these flaws can be leveraged for full code execution. ### Affected Products and Mitigation **F5** has rolled out security fixes for a range of **NGINX** software products, including: * **NGINX Plus** * **NGINX Open Source** * **NGINX Gateway Fabric** * **NGINX Instance Manager** Administrators unable to apply updates immediately can implement temporary mitigations: * For **CVE-2026-42530**: Disable HTTP/3 by removing `quic` from all listen directives. * For **CVE-2026-42055**: Remove the `ignore_invalid_headers off` directive from the configuration and reduce the `large_client_header_buffers` directive size below 2 megabytes. ### Additional High-Severity Flaws **F5** also addressed two high-severity security flaws in **NGINX Gateway Fabric**: * **CVE-2026-11311** * **CVE-2026-50107** These vulnerabilities could allow authenticated attackers to inject arbitrary **NGINX** configuration directives. ### A History of Exploitation While **F5** has not yet observed these specific vulnerabilities being exploited in the wild, the company's products have been frequent targets for both cybercrime groups and state-sponsored actors. Past exploits of **F5** vulnerabilities have led to: * Breaching corporate networks. * Deploying data-wiping malware. * Mapping internal servers. * Hijacking devices. * Stealing sensitive documents. Notably, **F5** disclosed in October that state-backed attackers breached its systems in August 2025, exfiltrating undisclosed **BIG-IP** security vulnerabilities and source code. The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has listed seven **F5** vulnerabilities in its Known Exploited Vulnerabilities Catalog, with four of these being exploited in ransomware attacks. **F5** is a Fortune 500 company providing cybersecurity and application delivery networking (ADN) services to over 23,000 customers globally, including a significant portion of the Fortune 500.