HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

F5 Releases Out-of-Band Patches for Critical NGINX Remote Code Execution Vulnerabilities (CVE-2026-42530, CVE-2026-42055)

F5 Networks issued out‑of‑band patches for two critical NGINX vulnerabilities that enable unauthenticated remote code execution. The flaws affect any organization running NGINX, making timely remediation a SOC 2 control requirement for change management and system operations.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

F5 Issues Out-of‑Band Patches for Critical NGINX Remote Code Execution Vulnerabilities

What Happened — F5 Networks released out‑of‑band security updates for multiple NGINX products to remediate two critical‑severity flaws (CVE‑2026‑42530 in ngx_http_v3_module and CVE‑2026‑42055 in ngx_http_proxy_v2_module/ngx_http_grpc_module). The vulnerabilities allow unauthenticated remote attackers to trigger denial‑of‑service or execute arbitrary code via use‑after‑free and heap‑buffer‑overflow bugs, especially when ASLR is disabled or bypassed.

Why It Matters for Compliance & Audit Readiness

  • The scenario maps directly to SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations) – controls that require documented, timely patching of critical components.
  • Continuous evidence of patch‑status and configuration compliance is essential to demonstrate due diligence during a SOC 2 audit.
  • Verisq’s Control Mapping capability can automatically correlate patch deployments with the relevant SOC 2 controls, providing immutable audit evidence.

Who Is Affected — Organizations that run NGINX (Open Source, Plus, Gateway Fabric, Instance Manager) across SaaS platforms, cloud‑infrastructure services, and any web‑facing applications—spanning technology, financial services, and other regulated sectors.

Recommended Actions

  • Prioritize immediate installation of F5’s out‑of‑band patches across all NGINX instances.
  • If patching cannot be completed instantly, apply the interim mitigations: disable HTTP/3 (remove quic from listen directives) and tighten large_client_header_buffers settings.
  • Update your change‑management logs and capture patch‑deployment artifacts as SOC 2 evidence.
  • Verify that ASLR is enabled on all production servers to reduce exploitability.

Technical Notes — The flaws are use‑after‑free (CVE‑2026‑42530) and heap‑based buffer overflow (CVE‑2026‑42055) in the NGINX worker process, exploitable without authentication. Both affect non‑default configurations and can bypass ASLR. Additional high‑severity issues (CVE‑2026‑11311, CVE‑2026‑50107) enable authenticated attackers to inject arbitrary NGINX directives. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/f5-issues-out-of-band-patches-for-critical-nginx-vulnerabilities/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →