Skip to content
hacker_posts

NGINX 1.31.2 / 1.30.3 patches HTTP/3 UAF (CVE-2026-42530) and two more

F5 shipped NGINX 1.31.2 and 1.30.3 on June 17 fixing a use-after-free in the HTTP/3 module, a heap overflow in proxy_v2/grpc, and a buffer overread in charset.

Published 5 min read
cvenginxf5advisory

F5 shipped nginx 1.31.2 (mainline) and 1.30.3 (stable) on June 17, 2026 out-of-band, addressing three CVEs in the open-source web server. The headline bug is CVE-2026-42530 — a use-after-free in ngx_http_v3_module (HTTP/3 / QUIC) with a CVSS v4 score of 9.2, exploitable by a remote unauthenticated attacker who can open an HTTP/3 session against the server. Two further fixes ship in the same cycle:

  • CVE-2026-42055 — heap buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module. Oversized upstream headers crash the worker; RCE possible if ASLR is disabled or bypassed. CVSS v4 9.2.
  • CVE-2026-48142 — heap buffer over-read in ngx_http_charset_module. Limited memory disclosure or worker restart. CWE-125. Lower severity, but reachable from an unauthenticated request when the right charset configuration is in place.

The primary record for the release is the nginx GitHub releases page, which lists the three CVEs verbatim in the 1.31.2 and 1.30.3 changelogs. F5 published per-CVE K-articles: K000161616 for CVE-2026-42530 and K000161585 for CVE-2026-48142.

What's affected

  • CVE-2026-42530 (HTTP/3 UAF) — only affects mainline NGINX 1.31.0 and 1.31.1. The stable 1.30.x line never shipped the HTTP/3 module, so the stable branch is not exposed to this CVE specifically. NGINX Plus releases that bundle 1.31.x are also vulnerable.
  • CVE-2026-42055 (proxy_v2 / grpc overflow) — affects open source from 1.13.10 up through 1.31.1 and the 1.30.x line before 1.30.3. Any deployment proxying gRPC upstream, or fronted by a load balancer that forwards PROXY-protocol v2, is in scope.
  • CVE-2026-48142 (charset over-read) — affects open source from 0.3.50 through 1.31.1, but only fires in locations where both source_charset utf-8; and a charset directive are configured. F5 notes the impact is data-plane only — no control-plane exposure.

Downstream packages: NGINX Gateway Fabric 1.3.0 through 2.6.3 and NGINX Ingress Controller 5.0.0 through 5.5.0 require the matching downstream rebuilds (NGINX Gateway Fabric 2.6.4 is the fixed version published alongside the upstream release). If you run an OpenResty, Tengine, or other NGINX-derived distribution, wait for the maintainer's rebuild rather than patching the upstream tarball into a custom build.

CVE-2026-42530 — the HTTP/3 bug

A crafted HTTP/3 session that reopens a QPACK encoder stream triggers the use-after-free in the worker process. Repeated reopens are denial-of-service; remote code execution requires either an ASLR-disabled host or a separate memory-disclosure primitive to bypass ASLR. Modern Linux distributions ship with ASLR on by default, so the realistic primary impact for most deployments is repeated worker churn — which on a single-node edge is enough to take the site offline.

The HTTP/3 module is opt-in. It only runs if your listen directive carries the quic parameter and you have http3 on;. Deployments that have not enabled HTTP/3 are not exposed to CVE-2026-42530 specifically, though the other two CVEs still apply and the patch path is the same.

Exploitation status

F5's K-articles do not report active in-the-wild exploitation for any of the three CVEs at time of writing. No public proof-of-concept has been published. PSIRT discovery credit is not on the K-articles yet — the bug reports appear to be internal.

That posture can shift quickly. The QPACK stream-reopen trigger is a small enough behavioral description that reproducing it on the open-source codebase becomes tractable for anyone reading the 1.31.2 diff. Treat the patch as urgent on any HTTP/3-enabled edge regardless of the lack of public PoC today.

Action checklist

  1. Upgrade to nginx 1.31.2 (mainline) or 1.30.3 (stable) today. NGINX Plus operators take the R37 patch or the R36 patch per the F5 advisory references.
  2. If patching is delayed, turn off HTTP/3 in your listen directives (drop quic, set http3 off;, reload). That eliminates the CVE-2026-42530 attack surface entirely. The HTTP/2-and-below CVEs (42055, 48142) have no configuration-side mitigation — only the patch.
  3. Inventory derivative builds. Any container image, appliance firmware, or Kubernetes ingress that ships an NGINX older than today is in scope. ingress-nginx and NGINX Gateway Fabric are the obvious ones; OEM appliances are the hidden ones.
  4. Audit your charset blocks. The over-read in CVE-2026-48142 only fires where source_charset utf-8; and a charset directive coexist. Where that combination is present, the patch is the only remediation.
  5. Watch for worker-restart loops in error.log once you re-enable HTTP/3 after patching — both as a regression check and as a probe-detection signal.

Context

This is the second open-source NGINX security cycle in less than a month. The previous one (1.31.1 / 1.30.2 on May 22) shipped the fix for CVE-2026-9256, and the same ngx_http_rewrite_module was the source of CVE-2026-42945 — NGINX Rift, the heap overflow with a public PoC that VulnCheck observed in the wild. Today's lot adds the HTTP/3 module to the list of NGINX components that needed an emergency cycle in 2026.

The pattern is worth flagging: every recent NGINX security release has hit a module — rewrite, then HTTP/3, then proxy_v2 / grpc — that downstream operators heavily customize and rarely audit. If you maintain a custom build of NGINX on a frozen distro, the lag between upstream cycle and your roll-out is now the variable that matters most. Subscribe directly to the nginx-announce mailing list rather than waiting on a downstream package update.

Related stories