CVE-2026-42530: Critical NGINX HTTP/3 Flaw Can Trigger DoS and Possible RCE
ID: 9ef496c4-7084-559a-9935-a43f9196e7ac
STIX ID: report--9ef496c4-7084-559a-9935-a43f9196e7ac
Feed Name: SOC Prime Blog
F5 issued out-of-band security updates for critical NGINX vulnerabilities, notably CVE-2026-42530: a use-after-free in the ngx_http_v3_module that can crash worker processes and, where ASLR is disabled or bypassed, enable arbitrary code execution. The issue affects NGINX Open Source 1.31.0 and 1.31.1 with HTTP/3 QUIC enabled; the advisory recommends upgrading to 1.31.2 or applying vendor patches, inventorying HTTP/3-enabled systems, and limiting protocol exposure while patching. No public exploit or stable IOCs were reported at the time.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
