What Happened
F5 released an out-of-band security advisory on June 17–18, 2026, disclosing multiple critical and high-severity vulnerabilities in NGINX that require emergency patching. The two most severe are CVE-2026-42530 and CVE-2026-42055, both rated CVSS 9.2, which allow unauthenticated remote attackers to cause a denial-of-service condition or execute arbitrary code against affected NGINX deployments.
CVE-2026-42530 is a use-after-free vulnerability in NGINX’s HTTP/3 module (ngx_http_v3_module). CVE-2026-42055 is a heap-based buffer overflow in the HTTP/2 reverse proxy and gRPC modules (ngx_http_proxy_v2_module and ngx_http_grpc_module). Successful exploitation causes the NGINX worker process to crash — producing a denial-of-service — and in environments where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, attackers can achieve arbitrary code execution.
The advisory also addresses two high-severity flaws in NGINX Gateway Fabric — CVE-2026-11311 and CVE-2026-50107 — affecting authenticated users with the ability to inject arbitrary NGINX configuration directives. F5 states it is not aware of active exploitation of any of these vulnerabilities at time of publication, but given NGINX’s near-ubiquitous deployment and CVSS 9.2 ratings, weaponized exploits are an immediate risk.
In scope: NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, and NGINX Ingress Controller across all affected versions. Users must update to patched releases specified in F5’s advisory. BleepingComputer
Why This Matters for Canadian Organizations
NGINX is the most widely deployed web server and reverse proxy in the world, running on approximately a third of active web infrastructure globally. In Canada, NGINX underpins shared hosting platforms, government web portals, e-commerce sites, API gateways, cloud-native Kubernetes ingress controllers, and microservices environments across virtually every sector.
HTTP/3 and gRPC are not niche configurations — HTTP/3 is now enabled by default in many modern NGINX deployments, and gRPC is the standard protocol for internal microservice communication in containerized architectures. Canadian hosting providers and managed service providers running NGINX at scale face amplified risk: a single unpatched NGINX instance behind a load balancer is an entry point for denial-of-service attacks against downstream customers.
For organizations subject to OSFI Guideline B-13 or Bill C-26 Critical Cyber Systems obligations, a CVSS 9.2 unauthenticated RCE vulnerability in a perimeter-facing service requires same-day remediation assessment. Any NGINX instance processing external traffic — particularly those handling HTTP/3 or acting as a gRPC proxy — is a critical exposure point until patched. Under PIPEDA, an exploitation event leading to data exposure triggers breach notification obligations.
What to Do
Apply the patches from F5’s advisory immediately. For NGINX Open Source and NGINX Plus deployments, update to versions that address CVE-2026-42530 and CVE-2026-42055 as specified in F5’s security advisory. For NGINX Gateway Fabric and NGINX Ingress Controller, verify the patched versions for CVE-2026-11311 and CVE-2026-50107 and update accordingly.
If patching immediately is not possible, assess whether HTTP/3 support is required in your environment. Disabling the ngx_http_v3_module in NGINX’s configuration removes the attack surface for CVE-2026-42530 while patches are staged. For CVE-2026-42055, restrict NGINX deployments to environments where ASLR is enabled; this limits exploitation from denial-of-service to code execution, narrowing the blast radius without eliminating the vulnerability.
Audit all NGINX deployments across your environment — virtual machines, containers, Kubernetes ingress controllers, API gateway configurations, and cloud load balancer integrations. Inventory which instances are internet-facing, which process HTTP/3 traffic, and which act as gRPC proxies. Prioritize patching in that order. Test patches in staging before production rollout to confirm gRPC and HTTP/2 traffic behaviour is unaffected by the update.
