{"id":275608,"date":"2026-06-18T13:32:00","date_gmt":"2026-06-18T17:32:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/18\/f5-patches-two-critical-nginx-open-source-flaws-enabling-remote-code-execution\/"},"modified":"2026-06-18T20:40:57","modified_gmt":"2026-06-19T00:40:57","slug":"f5-patches-two-critical-nginx-open-source-flaws-enabling-remote-code-execution","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/18\/f5-patches-two-critical-nginx-open-source-flaws-enabling-remote-code-execution\/","title":{"rendered":"F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/f5-patches-two-critical-nginx-open.html\">F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/f5-patches-two-critical-nginx-open.html\">https:\/\/thehackernews.com\/2026\/06\/f5-patches-two-critical-nginx-open.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-18 13:32:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 18, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Cloud Security<\/span><\/p>\n<p>F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.<\/p>\n<p>The vulnerabilities are listed below &#8211;<\/p>\n<ul>\n<li>CVE-2026-42530 (CVSS v4 score: 9.2) &#8211; A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP\/3 QUIC module to reopen a QPACK encoder stream by means of a specially crafted HTTP\/3 session, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.<\/li>\n<li>CVE-2026-42055 (CVSS v4 score: 9.2) &#8211; A heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules that could be triggered by a remote unauthenticated attacker when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP\/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 MB, and execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.<\/li>\n<\/ul>\n<p>Both shortcomings have been patched in the following versions &#8211;<\/p>\n<ul>\n<li>\n<p>      CVE-2026-42530<\/p>\n<p>    &#8211;<\/p>\n<ul>\n<li>NGINX Open Source 1.31.0 &#8211; 1.31.1 (Fixed in 1.31.2)<\/li>\n<li>NGINX Gateway Fabric 2.0.0 &#8211; 2.6.3 (Fixed in 2.6.4)<\/li>\n<li>NGINX Gateway Fabric 1.3.0 &#8211; 1.6.2<\/li>\n<li>NGINX Instance Manager 2.17.0 &#8211; 2.22.0<\/li>\n<li>NGINX Ingress Controller 5.0.0 &#8211; 5.5.0<\/li>\n<li>NGINX Ingress Controller 4.0.0 &#8211; 4.0.1<\/li>\n<li>NGINX Ingress Controller 3.5.0 &#8211; 3.7.2<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>      CVE-2026-42055<\/p>\n<p>    &#8211;<\/p>\n<ul>\n<li>NGINX Plus 37.0.0 &#8211; 37.0.1 (Fixed in 37.0.2.1)<\/li>\n<li>NGINX Plus R33 &#8211; R36 (Fixed in R36 P6)<\/li>\n<li>NGINX Open Source 1.31.1 (Fixed in 1.31.2)<\/li>\n<li>NGINX Open Source 1.30.0 &#8211; 1.30.2 (Fixed in 1.30.3)<\/li>\n<li>NGINX Instance Manager 2.17.0 -&#8230;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/f5-patches-two-critical-nginx-open.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution https:\/\/thehackernews.com\/2026\/06\/f5-patches-two-critical-nginx-open.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":275609,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxYclMMaAOBe1jlW_s0S1SfdX3sPrGB9MZ7R9Hfo2ktoF9DiLqPA5ZYmFAyGmzws5eNmqopdPw7bBV7TTO8KgS2C8CJU8cgHNXw0ERAvk8sGRLYXH7M98eqxDM9c-rQTU0Hlj8ISEmSWMCnw6OqJMyhgxxLHCFPwP1JugZ3bCJow7AfTZ40kOo8XpY3WdF\/s1600\/f5.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-275608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275608"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=275608"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275608\/revisions"}],"predecessor-version":[{"id":275610,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/275608\/revisions\/275610"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/275609"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=275608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=275608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=275608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}