F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems.
Both shortcomings have been patched in the following versions -
As mitigations, F5 has outlined the following actions -
Although F5 makes no mention of the vulnerabilities being exploited in the wild, security flaws in F5 products have been repeatedly exploited by bad actors.
As recently as last month, another critical security defect in NGINX Plus and NGINX Open Source (
, CVSS score: 9.2), also called NGINX Rift, came under
CyStack's Trung Nguyen, who is credited as one of the researchers behind discovering and reporting both the flaws, described CVE-2026-42530 as resulting from a "lifetime mismatch," which could then trigger the use-after-free primitive.
"A pointer that belongs to the HTTP/3 session, which lives for the duration of the connection, ends up holding memory that belongs to a unidirectional stream that lives only for a moment," Nguyen
. "When that stream closes, the memory is freed, but the session-level pointer is still there and is still treated as valid."
CVE-2026-42055, on the other hand, is a heap overflow that causes attacker-controlled HPACK data to be written to unauthorized memory regions without requiring any authentication. The oversized requests can be exploited to cause repeated worker process crashes, resulting in a sustained denial-of-service (DoS).
"The request builder reserves a fixed 4 bytes for the length prefix of an HPACK string, but the HPACK varint encoder emits 5 bytes when the length value exceeds 2097278," Nguyen
. "Each oversized field therefore makes the write run past the allocated region, carrying attacker-controlled HPACK data with it."
(The story was updated after publication on June 22, 2026, to include additional details published by CyStack.)