HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Critical NGINX Use‑After‑Free & Heap Overflow (CVE‑2026‑42530, CVE‑2026‑42055) Enable Unauthenticated Code Execution – F5 Issues Emergency Patches

F5 released out‑of‑band patches for two CVSS‑9.2 NGINX vulnerabilities that allow remote unauthenticated attackers to cause denial‑of‑service or arbitrary code execution via crafted HTTP/3 or HTTP/2 traffic. Organizations must prove timely patch management to satisfy SOC 2 audit requirements.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Critical NGINX Use‑After‑Free & Heap Overflow (CVE‑2026‑42530, CVE‑2026‑42055) Enable Unauthenticated Code Execution – F5 Issues Emergency Patches

What It Is — F5 released out‑of‑band patches for two critical NGINX flaws (CVE‑2026‑42530, CVE‑2026‑42055) that allow remote unauthenticated attackers to trigger memory corruption, leading to denial‑of‑service or arbitrary code execution. Both vulnerabilities score 9.2 on the CVSS scale.

Exploitability — Publicly disclosed; proof‑of‑concept details are available. No widespread exploit campaigns have been observed, but the remote unauthenticated nature makes exploitation feasible once an attacker crafts malicious HTTP/3 or HTTP/2 traffic.

Affected Products — NGINX Open Source and NGINX Plus modules: ngx_http_v3_module, ngx_http_proxy_v2_module, ngx_http_grpc_module. These modules are embedded in F5 BIG‑IP and other appliance contexts that rely on NGINX for data‑plane traffic handling.

Why It Matters for Compliance & Audit Readiness

  • SOC 2 Change Management (CC6.1) mandates documented, timely remediation of critical vulnerabilities; failure to patch these CVEs can be cited as a control breach.
  • Continuous evidence collection of patch deployment satisfies audit evidence for System Operations (CC7.1) and demonstrates due‑diligence to auditors and enterprise customers.
  • Control mapping of the vulnerability to your security framework provides a defensible posture that many buyers now require as part of SOC 2 readiness assessments.

Recommended Actions

  • Inventory every NGINX instance (Open Source & Plus) and flag those with HTTP/3 or HTTP/2 proxy enabled.
  • Apply F5’s emergency patches immediately; verify the installed version numbers.
  • Capture automated deployment logs and update change‑management tickets to create SOC 2‑ready audit evidence.
  • Ensure Address Space Layout Randomization (ASLR) is enabled and hardened; re‑test after patching.
  • Refresh your vulnerability‑management policy to explicitly cover out‑of‑band patches for critical flaws.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/193842/security/f5-patches-critical-nginx-vulnerabilities-enabling-unauthenticated-code-execution.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →