CVE-2026-42530 – NGINX Open Source / NGINX Gateway Fabric

CVSS 8.1 IMPORTANT High with EoP or RCE – Expedited Deployment

“Configuration and memory handling weaknesses can turn core infrastructure services into attack surfaces.”

F5 patched four High severity vulnerabilities affecting NGINX Open Source, NGINX Plus, and NGINX Gateway Fabric. CVE-2026-42530, CVE-2026-42055, CVE-2026-11311, and CVE-2026-50107 each have a CVSS score of 8.1, which is High severity.

The vulnerabilities include a use-after-free condition in the HTTP/3 QUIC module, a heap-based buffer overflow affecting HTTP/2 proxying, and two configuration injection vulnerabilities in NGINX Gateway Fabric. Successful exploitation could lead to worker process crashes, arbitrary code execution under specific conditions, or unauthorized injection of NGINX configuration directives through manipulated custom resource definitions.

No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
F5 Nginx Gateway Fabric
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.