Introduction
A newly disclosed Use After Free in NGINX's HTTP/3 QPACK implementation allows a remote, unauthenticated attacker to crash worker processes and, under the right conditions, achieve code execution on the world's most widely deployed web server. With NGINX powering 32.8% of all websites with a known web server and the recent precedent of CVE-2026-42945 being exploited in the wild within four days of disclosure, organizations running NGINX 1.31.x with HTTP/3 enabled should evaluate their exposure immediately.
Technical Information
Root Cause: Use After Free in QPACK Encoder Stream Handling
CVE-2026-42530 is classified as CWE-416 (Use After Free) and resides in NGINX's ngx_http_v3_module, the module responsible for HTTP/3 (QUIC) support. The vulnerability was published by F5 Networks as the CNA on June 17, 2026, and carries a CVSS v4.0 score of 9.2 Critical (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) and a CVSS v3.1 score of 8.1 High.
HTTP/3 relies on QPACK (defined in RFC 9204) for header field compression. QPACK operates through dedicated unidirectional streams: an encoder stream and a decoder stream. Per the specification, each endpoint opens exactly one encoder stream and one decoder stream per HTTP/3 session. This invariant is fundamental to the protocol's correctness.
The vulnerability arises when a specially crafted HTTP/3 session causes the QPACK encoder stream to be reopened after it has already been closed or its associated memory has been freed. When NGINX processes this reopened stream, it dereferences a pointer to memory that has already been deallocated. This is a classic Use After Free condition: the memory region may have been reallocated for a different purpose, and any read or write through the stale pointer corrupts the new data or follows attacker controlled values.
Impact: Denial of Service and Conditional RCE
The immediate and reliably achievable impact is denial of service. The Use After Free causes the NGINX worker process to crash and restart. No conditions beyond network access and an HTTP/3 enabled configuration are required for this outcome.
The more severe impact, remote code execution, requires additional conditions that the F5 advisory describes as "beyond the attacker's control":
- ASLR must be disabled on the target system, or
- The attacker must possess a separate capability to bypass ASLR (for example, through an information leak vulnerability)
When ASLR is absent or defeated, the attacker can predict the layout of memory and craft the freed region's contents to redirect execution flow. This transforms the Use After Free from a crash into a controlled write primitive suitable for code execution.
Attack Flow
Based on the advisory details, an attack would proceed as follows:
-
Prerequisite identification: The attacker identifies an NGINX instance accepting HTTP/3 connections. This is detectable through the
Alt-Svcheader or by probing UDP port 443 for QUIC responses. -
Session establishment: The attacker initiates a standard HTTP/3 QUIC session with the target server.
-
QPACK stream manipulation: Within the session, the attacker crafts a sequence of QUIC frames that causes the QPACK encoder stream to be closed and then reopened. The specific framing that triggers this behavior exploits a logic error in
ngx_http_v3_module's stream lifecycle management. -
Use After Free trigger: When NGINX processes the reopened encoder stream, it accesses freed memory. For DoS, this is sufficient; the worker process crashes.
-
RCE exploitation (conditional): If ASLR is disabled, the attacker can arrange for the freed memory to be reallocated with attacker controlled content before the stale pointer is dereferenced, enabling arbitrary code execution in the context of the NGINX worker process.
The F5 advisory confirms this is a data plane issue only, meaning the NGINX control plane is not exposed through this vulnerability.
CVSS Breakdown
| Metric | CVSS v3.1 | CVSS v4.0 |
|---|---|---|
| Score | 8.1 High | 9.2 Critical |
| Attack Vector | Network | Network |
| Attack Complexity | High | High |
| Privileges Required | None | None |
| User Interaction | None | None |
| Confidentiality Impact | High | High |
| Integrity Impact | High | High |
| Availability Impact | High | High |
The High attack complexity rating in both scoring systems reflects the conditions beyond the attacker's control and the ASLR requirement for full exploitation.
Affected Systems and Versions
The vulnerability affects a narrow set of NGINX Open Source versions but propagates through multiple downstream F5 products.
NGINX Open Source
Only the 1.31.x mainline branch is affected:
| Vulnerable Versions | Fixed Version |
|---|---|
| 1.31.0, 1.31.1 | 1.31.2 |
Organizations running the NGINX stable branch (1.30.x and earlier) are not affected by this specific CVE. Software versions that have reached End of Technical Support (EoTS) are not evaluated per F5's policy.
Downstream F5 Products
| Product | Vulnerable Versions | Resolution |
|---|---|---|
| NGINX Instance Manager | 2.17.0 through 2.22.0 | See F5 advisory |
| NGINX Gateway Fabric (Branch 2.x) | 2.0.0 through 2.6.3 | See F5 advisory |
| NGINX Gateway Fabric (Branch 1.x) | 1.3.0 through 1.6.2 | See F5 advisory |
| NGINX Ingress Controller (Branch 5.x) | 5.0.0 through 5.5.0 | See F5 advisory |
| NGINX Ingress Controller (Branch 4.x) | 4.0.0 through 4.0.1 | See F5 advisory |
| NGINX Ingress Controller (Branch 3.x) | 3.5.0 through 3.7.2 | See F5 advisory |
Required Configuration
The vulnerability is only exploitable when HTTP/3 QUIC is enabled. Specifically, the listen directive must include the quic parameter:
listen 443 quic reuseport;
Instances configured without quic in their listen directives do not invoke the vulnerable ngx_http_v3_module code path and are not at risk.
Mitigation
The F5 advisory provides a single explicit workaround: remove quic from all listen directives. For example, change:
listen 443 quic reuseport;
to:
listen 443 ssl;
This eliminates the vulnerable code path entirely. The definitive fix is upgrading to NGINX Open Source 1.31.2 or later.
Additional defense in depth measures worth implementing:
- Verify ASLR is enabled on all NGINX hosts. On Linux, check with
cat /proc/sys/kernel/randomize_va_space(the value should be 2). This does not prevent the DoS scenario but blocks the RCE path. - Restrict UDP port 443 at the network perimeter to limit QUIC exposure where patching cannot be applied immediately.
- Monitor for repeated worker process restarts, which may indicate active exploitation attempts.
- Inventory all NGINX derived products across your environment, including Kubernetes ingress controllers, API gateways, and management planes that embed NGINX.
Vendor Security History
The 2026 calendar year has been particularly active for NGINX security disclosures. CVE-2026-42530 is the eighth NGINX CVE disclosed this year:
| CVE | Module | Type | CVSS v3.1 | Disclosed | Exploited in Wild |
|---|---|---|---|---|---|
| CVE-2026-42530 | ngx_http_v3_module | Use After Free | 8.1 | Jun 17, 2026 | No evidence yet |
| CVE-2026-9256 | ngx_http_rewrite_module | Heap Buffer Overflow | Medium | May 22, 2026 | No |
| CVE-2026-42945 | ngx_http_rewrite_module | Heap Buffer Overflow | 8.1 | May 13, 2026 | Yes |
| CVE-2026-40460 | ngx_quic_module | IP Spoofing/Auth Bypass | Medium | May 13, 2026 | No |
| CVE-2026-42946 | ngx_http_scgi/uwsgi_module | Memory Over Read | 6.5 | May 13, 2026 | No |
| CVE-2026-42934 | ngx_http_charset_module | Heap Over Read | 4.8 | May 13, 2026 | No |
| CVE-2026-40701 | ngx_http_ssl_module | SSL Vulnerability | 4.8 | May 13, 2026 | No |
| CVE-2026-1642 | SSL upstream | MITM Injection | 8.8 | Feb 4, 2026 | No |
The May 13 disclosure batch alone included seven CVEs, published under F5's Quarterly Security Notification. The most consequential of these, CVE-2026-42945 (dubbed "NGINX Rift"), was an 18 year old heap buffer overflow in the rewrite module. VulnCheck confirmed active exploitation within four to five days of disclosure. Security researcher Kevin Beaumont noted that RCE for that vulnerability also required ASLR to be disabled, a condition that parallels CVE-2026-42530.
The HTTP/3 QUIC module specifically has been a recurring source of vulnerabilities. Including CVE-2026-42530, there have been at least eight HTTP/3 related CVEs across 2024 and 2026:
| CVE | Year | Issue |
|---|---|---|
| CVE-2024-24990 | 2024 | Use After Free in HTTP/3 |
| CVE-2024-24989 | 2024 | NULL Pointer Dereference |
| CVE-2024-32760 | 2024 | Buffer Overwrite in HTTP/3 |
| CVE-2024-31079 | 2024 | Stack Overflow/Use After Free |
| CVE-2024-35200 | 2024 | NULL Pointer Dereference |
| CVE-2024-34161 | 2024 | Memory Disclosure |
| CVE-2026-40460 | 2026 | QUIC Source IP Spoofing |
| CVE-2026-42530 | 2026 | QPACK Use After Free |
This pattern suggests that the HTTP/3 implementation in NGINX remains an immature attack surface. The combination of a relatively new protocol, complex stream management across QPACK encoder and decoder streams, and manual memory management in C creates multiple opportunities for memory corruption flaws. Organizations should evaluate whether HTTP/3 is operationally necessary for their deployments and consider disabling it where the performance benefits do not justify the additional attack surface.
The CSA (Cyber Security Agency) of Singapore has also issued advisories covering the May 2026 F5 vulnerabilities, indicating international governmental attention to NGINX security posture.
References
- NVD: CVE-2026-42530
- F5 Advisory: NGINX ngx_http_v3_module vulnerability CVE-2026-42530 (K000161616)
- RFC 9204: QPACK Field Compression for HTTP/3
- F5 Quarterly Security Notification (May 2026)
- NGINX Security Advisories
- NGINX News: 2026
- NGINX Downloads
- CISA Known Exploited Vulnerabilities Catalog
- F5 Advisory: NGINX ngx_quic_module vulnerability CVE-2026-40460
- CSA Singapore: Multiple Vulnerabilities in F5 NGINX, BIG-IP and BIG-IQ
- The Hacker News: NGINX CVE-2026-42945 Exploited in the Wild
- Help Net Security: Attackers are exploiting critical NGINX vulnerability (CVE-2026-42945)
- runZero: F5 NGINX vulnerability: Find impacted systems
- QPACK How To: nghttp3 documentation
- F5 Advisory: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945



