What Happened

On June 18, 2026, F5 released out-of-band security patches addressing four vulnerabilities in NGINX — two rated Critical and two rated High severity. The out-of-band release cadence underscores the seriousness of these flaws, which affect NGINX Plus, NGINX Open Source, NGINX Gateway Fabric, and NGINX Instance Manager.

The two critical vulnerabilities are:

• CVE-2026-42530 — Affects the ngx_http_v3_module (HTTP/3). Unauthenticated remote attackers can trigger a use-after-free condition, leading to denial-of-service (DoS) or remote code execution (RCE) on systems where ASLR is disabled or can be bypassed.
• CVE-2026-42055 — Affects the ngx_http_proxy_v2_module and ngx_http_grpc_module. Exploitation causes a heap-based buffer overflow in the worker process, resulting in DoS or potential RCE under the same ASLR constraints.

The two additional high-severity flaws — CVE-2026-11311 and CVE-2026-50107 — impact NGINX Gateway Fabric and allow authenticated attackers to inject arbitrary NGINX configuration directives.

As of publication, F5 has not flagged any of these vulnerabilities as actively exploited in the wild. However, F5 products remain high-value targets for both cybercriminal and nation-state threat actors, with CISA having flagged seven F5 vulnerabilities as actively exploited in recent years — four of which were used in ransomware campaigns.

Impact

NGINX powers approximately 33% of all websites globally and is the dominant ingress controller and reverse proxy in Kubernetes environments. The blast radius is therefore enormous:

• Web Servers: Any internet-facing NGINX instance with HTTP/3 enabled (quic listen directive) or non-default proxy/gRPC configuration is potentially reachable by unauthenticated attackers.
• Reverse Proxies & Load Balancers: NGINX is the most widely deployed reverse proxy. Exploitation at this layer exposes all backend services behind the proxy.
• Kubernetes Ingress: NGINX Ingress Controller is the default ingress for countless Kubernetes clusters. Compromise of the ingress grants attackers a foothold at the cluster edge, potentially enabling lateral movement into internal services.
• API Gateways: NGINX-based API gateways (including NGINX Gateway Fabric) are affected. The high-severity config injection flaws enable attackers with authenticated access to inject malicious directives, potentially redirecting traffic or disabling security controls.

Fix

F5 has released patched versions across all affected product lines. Organizations should:

1. Apply patches immediately. Retrieve updated packages through your normal distribution channels — F5’s download portal, package repositories (apt/yum), or container registries for NGINX Ingress Controller and Gateway Fabric images.
2. Verify versions. Check that all NGINX deployments (including sidecars, ingress controllers, and API gateways) are running the patched release.
3. If immediate patching is impossible:
   • For CVE-2026-42530: Disable HTTP/3 by removing quic from all listen directives.
   • For CVE-2026-42055: Remove ignore_invalid_headers off; from configuration and reduce large_client_header_buffers below 2 megabytes.

Recommendations

• Treat this as a priority patch event. Out-of-band releases from F5 are rare and signal that the standard patch cycle was deemed insufficient for the risk.
• Inventory all NGINX deployments — not just frontend web servers but also ingress controllers, sidecar proxies in service meshes, and NGINX-based API gateways.
• Review configurations for non-default settings that expand attack surface (HTTP/3, proxy protocol v2, gRPC proxying, large header buffers).
• Monitor F5’s security advisory page for CVSS scores and additional hardening guidance as F5 continues to publish details.
• If you operate NGINX in Kubernetes, ensure your cluster image policy is pulling updated ingress controller and Gateway Fabric images.

References

• BleepingComputer: F5 issues out-of-band patches for critical NGINX vulnerabilities
• F5 Advisory K000161616: CVE-2026-42530 (ngx_http_v3_module)
• F5 Advisory K000161584: CVE-2026-42055 (ngx_http_proxy_v2_module / ngx_http_grpc_module)
• F5 Advisory K000161611: CVE-2026-11311 (NGINX Gateway Fabric)
• F5 Advisory K000161785: CVE-2026-50107 (NGINX Gateway Fabric)