CVE-2026-11311 – NGINX Open Source / NGINX Gateway Fabric
“Configuration and memory handling weaknesses can turn core infrastructure services into attack surfaces.”
F5 patched four High severity vulnerabilities affecting NGINX Open Source, NGINX Plus, and NGINX Gateway Fabric. CVE-2026-42530, CVE-2026-42055, CVE-2026-11311, and CVE-2026-50107 each have a CVSS score of 8.1, which is High severity.
The vulnerabilities include a use-after-free condition in the HTTP/3 QUIC module, a heap-based buffer overflow affecting HTTP/2 proxying, and two configuration injection vulnerabilities in NGINX Gateway Fabric. Successful exploitation could lead to worker process crashes, arbitrary code execution under specific conditions, or unauthorized injection of NGINX configuration directives through manipulated custom resource definitions.
No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Affected Product
- F5 Nginx Gateway Fabric
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-76