ZeroPath at Black Hat USA 2026

NGINX HTTP/3 QPACK Use After Free (CVE-2026-42530): Brief Summary of a Critical Remote Vulnerability

A brief summary of CVE-2026-42530, a Use After Free vulnerability in NGINX's HTTP/3 QPACK encoder stream handling that enables unauthenticated denial of service and conditional remote code execution against servers running NGINX Open Source 1.31.0 and 1.31.1.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-17

NGINX HTTP/3 QPACK Use After Free (CVE-2026-42530): Brief Summary of a Critical Remote Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A newly disclosed Use After Free in NGINX's HTTP/3 QPACK implementation allows a remote, unauthenticated attacker to crash worker processes and, under the right conditions, achieve code execution on the world's most widely deployed web server. With NGINX powering 32.8% of all websites with a known web server and the recent precedent of CVE-2026-42945 being exploited in the wild within four days of disclosure, organizations running NGINX 1.31.x with HTTP/3 enabled should evaluate their exposure immediately.

Technical Information

Root Cause: Use After Free in QPACK Encoder Stream Handling

CVE-2026-42530 is classified as CWE-416 (Use After Free) and resides in NGINX's ngx_http_v3_module, the module responsible for HTTP/3 (QUIC) support. The vulnerability was published by F5 Networks as the CNA on June 17, 2026, and carries a CVSS v4.0 score of 9.2 Critical (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) and a CVSS v3.1 score of 8.1 High.

HTTP/3 relies on QPACK (defined in RFC 9204) for header field compression. QPACK operates through dedicated unidirectional streams: an encoder stream and a decoder stream. Per the specification, each endpoint opens exactly one encoder stream and one decoder stream per HTTP/3 session. This invariant is fundamental to the protocol's correctness.

The vulnerability arises when a specially crafted HTTP/3 session causes the QPACK encoder stream to be reopened after it has already been closed or its associated memory has been freed. When NGINX processes this reopened stream, it dereferences a pointer to memory that has already been deallocated. This is a classic Use After Free condition: the memory region may have been reallocated for a different purpose, and any read or write through the stale pointer corrupts the new data or follows attacker controlled values.

Impact: Denial of Service and Conditional RCE

The immediate and reliably achievable impact is denial of service. The Use After Free causes the NGINX worker process to crash and restart. No conditions beyond network access and an HTTP/3 enabled configuration are required for this outcome.

The more severe impact, remote code execution, requires additional conditions that the F5 advisory describes as "beyond the attacker's control":

  1. ASLR must be disabled on the target system, or
  2. The attacker must possess a separate capability to bypass ASLR (for example, through an information leak vulnerability)

When ASLR is absent or defeated, the attacker can predict the layout of memory and craft the freed region's contents to redirect execution flow. This transforms the Use After Free from a crash into a controlled write primitive suitable for code execution.

Attack Flow

Based on the advisory details, an attack would proceed as follows:

  1. Prerequisite identification: The attacker identifies an NGINX instance accepting HTTP/3 connections. This is detectable through the Alt-Svc header or by probing UDP port 443 for QUIC responses.

  2. Session establishment: The attacker initiates a standard HTTP/3 QUIC session with the target server.

  3. QPACK stream manipulation: Within the session, the attacker crafts a sequence of QUIC frames that causes the QPACK encoder stream to be closed and then reopened. The specific framing that triggers this behavior exploits a logic error in ngx_http_v3_module's stream lifecycle management.

  4. Use After Free trigger: When NGINX processes the reopened encoder stream, it accesses freed memory. For DoS, this is sufficient; the worker process crashes.

  5. RCE exploitation (conditional): If ASLR is disabled, the attacker can arrange for the freed memory to be reallocated with attacker controlled content before the stale pointer is dereferenced, enabling arbitrary code execution in the context of the NGINX worker process.

The F5 advisory confirms this is a data plane issue only, meaning the NGINX control plane is not exposed through this vulnerability.

CVSS Breakdown

MetricCVSS v3.1CVSS v4.0
Score8.1 High9.2 Critical
Attack VectorNetworkNetwork
Attack ComplexityHighHigh
Privileges RequiredNoneNone
User InteractionNoneNone
Confidentiality ImpactHighHigh
Integrity ImpactHighHigh
Availability ImpactHighHigh

The High attack complexity rating in both scoring systems reflects the conditions beyond the attacker's control and the ASLR requirement for full exploitation.

Affected Systems and Versions

The vulnerability affects a narrow set of NGINX Open Source versions but propagates through multiple downstream F5 products.

NGINX Open Source

Only the 1.31.x mainline branch is affected:

Vulnerable VersionsFixed Version
1.31.0, 1.31.11.31.2

Organizations running the NGINX stable branch (1.30.x and earlier) are not affected by this specific CVE. Software versions that have reached End of Technical Support (EoTS) are not evaluated per F5's policy.

Downstream F5 Products

ProductVulnerable VersionsResolution
NGINX Instance Manager2.17.0 through 2.22.0See F5 advisory
NGINX Gateway Fabric (Branch 2.x)2.0.0 through 2.6.3See F5 advisory
NGINX Gateway Fabric (Branch 1.x)1.3.0 through 1.6.2See F5 advisory
NGINX Ingress Controller (Branch 5.x)5.0.0 through 5.5.0See F5 advisory
NGINX Ingress Controller (Branch 4.x)4.0.0 through 4.0.1See F5 advisory
NGINX Ingress Controller (Branch 3.x)3.5.0 through 3.7.2See F5 advisory

Required Configuration

The vulnerability is only exploitable when HTTP/3 QUIC is enabled. Specifically, the listen directive must include the quic parameter:

listen 443 quic reuseport;

Instances configured without quic in their listen directives do not invoke the vulnerable ngx_http_v3_module code path and are not at risk.

Mitigation

The F5 advisory provides a single explicit workaround: remove quic from all listen directives. For example, change:

listen 443 quic reuseport;

to:

listen 443 ssl;

This eliminates the vulnerable code path entirely. The definitive fix is upgrading to NGINX Open Source 1.31.2 or later.

Additional defense in depth measures worth implementing:

  • Verify ASLR is enabled on all NGINX hosts. On Linux, check with cat /proc/sys/kernel/randomize_va_space (the value should be 2). This does not prevent the DoS scenario but blocks the RCE path.
  • Restrict UDP port 443 at the network perimeter to limit QUIC exposure where patching cannot be applied immediately.
  • Monitor for repeated worker process restarts, which may indicate active exploitation attempts.
  • Inventory all NGINX derived products across your environment, including Kubernetes ingress controllers, API gateways, and management planes that embed NGINX.

Vendor Security History

The 2026 calendar year has been particularly active for NGINX security disclosures. CVE-2026-42530 is the eighth NGINX CVE disclosed this year:

CVEModuleTypeCVSS v3.1DisclosedExploited in Wild
CVE-2026-42530ngx_http_v3_moduleUse After Free8.1Jun 17, 2026No evidence yet
CVE-2026-9256ngx_http_rewrite_moduleHeap Buffer OverflowMediumMay 22, 2026No
CVE-2026-42945ngx_http_rewrite_moduleHeap Buffer Overflow8.1May 13, 2026Yes
CVE-2026-40460ngx_quic_moduleIP Spoofing/Auth BypassMediumMay 13, 2026No
CVE-2026-42946ngx_http_scgi/uwsgi_moduleMemory Over Read6.5May 13, 2026No
CVE-2026-42934ngx_http_charset_moduleHeap Over Read4.8May 13, 2026No
CVE-2026-40701ngx_http_ssl_moduleSSL Vulnerability4.8May 13, 2026No
CVE-2026-1642SSL upstreamMITM Injection8.8Feb 4, 2026No

The May 13 disclosure batch alone included seven CVEs, published under F5's Quarterly Security Notification. The most consequential of these, CVE-2026-42945 (dubbed "NGINX Rift"), was an 18 year old heap buffer overflow in the rewrite module. VulnCheck confirmed active exploitation within four to five days of disclosure. Security researcher Kevin Beaumont noted that RCE for that vulnerability also required ASLR to be disabled, a condition that parallels CVE-2026-42530.

The HTTP/3 QUIC module specifically has been a recurring source of vulnerabilities. Including CVE-2026-42530, there have been at least eight HTTP/3 related CVEs across 2024 and 2026:

CVEYearIssue
CVE-2024-249902024Use After Free in HTTP/3
CVE-2024-249892024NULL Pointer Dereference
CVE-2024-327602024Buffer Overwrite in HTTP/3
CVE-2024-310792024Stack Overflow/Use After Free
CVE-2024-352002024NULL Pointer Dereference
CVE-2024-341612024Memory Disclosure
CVE-2026-404602026QUIC Source IP Spoofing
CVE-2026-425302026QPACK Use After Free

This pattern suggests that the HTTP/3 implementation in NGINX remains an immature attack surface. The combination of a relatively new protocol, complex stream management across QPACK encoder and decoder streams, and manual memory management in C creates multiple opportunities for memory corruption flaws. Organizations should evaluate whether HTTP/3 is operationally necessary for their deployments and consider disabling it where the performance benefits do not justify the additional attack surface.

The CSA (Cyber Security Agency) of Singapore has also issued advisories covering the May 2026 F5 vulnerabilities, indicating international governmental attention to NGINX security posture.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization