F5 Issues Out-of‑Band Patches for Critical NGINX Remote Code Execution Vulnerabilities
What Happened — F5 Networks released out‑of‑band security updates for multiple NGINX products to remediate two critical‑severity flaws (CVE‑2026‑42530 in ngx_http_v3_module and CVE‑2026‑42055 in ngx_http_proxy_v2_module/ngx_http_grpc_module). The vulnerabilities allow unauthenticated remote attackers to trigger denial‑of‑service or execute arbitrary code via use‑after‑free and heap‑buffer‑overflow bugs, especially when ASLR is disabled or bypassed.
Why It Matters for Compliance & Audit Readiness
- The scenario maps directly to SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations) – controls that require documented, timely patching of critical components.
- Continuous evidence of patch‑status and configuration compliance is essential to demonstrate due diligence during a SOC 2 audit.
- Verisq’s Control Mapping capability can automatically correlate patch deployments with the relevant SOC 2 controls, providing immutable audit evidence.
Who Is Affected — Organizations that run NGINX (Open Source, Plus, Gateway Fabric, Instance Manager) across SaaS platforms, cloud‑infrastructure services, and any web‑facing applications—spanning technology, financial services, and other regulated sectors.
Recommended Actions
- Prioritize immediate installation of F5’s out‑of‑band patches across all NGINX instances.
- If patching cannot be completed instantly, apply the interim mitigations: disable HTTP/3 (remove
quicfrom listen directives) and tightenlarge_client_header_bufferssettings. - Update your change‑management logs and capture patch‑deployment artifacts as SOC 2 evidence.
- Verify that ASLR is enabled on all production servers to reduce exploitability.
Technical Notes — The flaws are use‑after‑free (CVE‑2026‑42530) and heap‑based buffer overflow (CVE‑2026‑42055) in the NGINX worker process, exploitable without authentication. Both affect non‑default configurations and can bypass ASLR. Additional high‑severity issues (CVE‑2026‑11311, CVE‑2026‑50107) enable authenticated attackers to inject arbitrary NGINX directives. Source: BleepingComputer