PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42530 F5 CVE debrief

A critical vulnerability CVE-2026-42530 was found in NGINX Open Source's HTTP/3 QUIC module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Attackers can also execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.

Vendor
F5
Product
NGINX Open Source
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-07-02
Advisory published
2026-06-17
Advisory updated
2026-07-02

Who should care

Users of NGINX Open Source configured with the HTTP/3 QUIC module, especially those with ASLR disabled or bypassed, should prioritize patching this vulnerability to prevent potential code execution and service disruption.

Technical summary

The vulnerability exists in the ngx_http_v3_module module of NGINX Open Source. A remote unauthenticated attacker can exploit this by crafting a special HTTP/3 session to reopen a QPACK encoder stream, potentially leading to a Use-after-Free in the NGINX worker process. This can cause the worker process to restart. In certain conditions, such as when ASLR is disabled or can be bypassed, attackers may also be able to execute code.

Defensive priority

High

Recommended defensive actions

  • Apply the vendor-provided patches or updates for NGINX Open Source to address the vulnerability in the HTTP/3 QUIC module.
  • Review and update NGINX configurations to ensure the HTTP/3 QUIC module is properly secured.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Consider disabling the HTTP/3 QUIC module if not required.
  • Ensure systems have Address Space Layout Randomization (ASLR) enabled where possible.

Evidence notes

The CVE record was published on 2026-06-17T15:16:50.630Z and was last modified on 2026-07-02T20:03:41.113Z. The NVD entry is currently Analyzed. Vendor advisory and third-party references are available.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T15:16:50.630Z and has not been modified since then. The NVD entry is currently Analyzed.