Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

High-Severity Vulnerabilities in NGINX

19 June 2026

Attackers can exploit high-severity vulnerabilities in NGINX to cause worker process crashes and, under certain conditions, achieve remote code execution. Patch immediately.

Background

F5 has released an out-of-band security advisory to address a use-after-free vulnerability in the ngx_http_v3_module (CVE-2026-42530) and a heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055) affecting NGINX. 

The vulnerabilities have the following Common Vulnerability Scoring System (CVSS v3.1) scores of: CVE-2026-42530 at 8.1 and CVE-2026-42055 at 8.1, out of 10. 

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-42530: Due to a use-after-free vulnerability in the ngx_http_v3_module, an unauthenticated attacker could send a crafted HTTP/3 session to crash the NGINX worker process, with potential remote code execution if ASLR is disabled or bypassed.

  • CVE-2026-42055: Due to a heap-based buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module, an unauthenticated attacker could send oversized headers to crash the NGINX worker process, with potential remote code execution if ASLR is disabled or bypassed.

Affected Products

For CVE-2026-42530:

  • NGINX Open Source 1.x: versions 1.31.0 through 1.31.1

  • NGINX Instance Manager 2.x: versions 2.17.0 through 2.22.0

  • NGINX Gateway Fabric 2.x: versions 2.0.0 through 2.6.3

  • NGINX Gateway Fabric 1.x: versions 1.3.0 through 1.6.2

  • NGINX Ingress Controller 5.x: versions 5.0.0 through 5.5.0

  • NGINX Ingress Controller 4.x: versions 4.0.0 through 4.0.1

  • NGINX Ingress Controller 3.x: versions 3.5.0 through 3.7.2

For CVE-2026-42055:

  • NGINX Plus 37.x: versions 37.0.0 through 37.0.1

  • NGINX Plus Rx: versions R33 through R36

  • NGINX Open Source 1.x: versions 1.31.1, and 1.30.0 through 1.30.2

  • NGINX Instance Manager 2.x: versions 2.17.0 through 2.22.0

  • F5 WAF for NGINX 5.x: versions 5.9.0 through 5.13.1

  • NGINX App Protect WAF 5.x: versions 5.2.0 through 5.8.0

  • NGINX App Protect WAF 4.x: versions 4.10.0 through 4.16.0

  • F5 DoS for NGINX 4.x: version 4.9.0

  • NGINX App Protect DoS 4.x: versions 4.3.0 through 4.7.0

  • NGINX Gateway Fabric 2.x: versions 2.0.0 through 2.6.3

  • NGINX Gateway Fabric 1.x: versions 1.3.0 through 1.6.2

  • NGINX Ingress Controller 5.x: versions 5.0.0 through 5.5.0

  • NGINX Ingress Controller 4.x: versions 4.0.0 through 4.0.1

  • NGINX Ingress Controller 3.x: versions 3.5.0 through 3.7.2

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

Mitigation

As an interim measure, users and administrators who are unable to update immediately can apply the following mitigations:

For CVE-2026-42530:

  • Disable HTTP/3 (remove quic from all listen directives).

For CVE-2026-42055:

  • Remove the ignore_invalid_headers off directive from the configuration.

  • Reduce the large_client_header_buffers directive size below 2 megabytes.

References

https://nginx.org/en/security_advisories.html

https://my.f5.com/manage/s/article/K000161616

https://my.f5.com/manage/s/article/K000161584

https://nvd.nist.gov/vuln/detail/CVE-2026-42530

https://nvd.nist.gov/vuln/detail/CVE-2026-42055

https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/

Back to top