NGINX CVE-2026-42530: Unauthenticated RCE in the Reverse Proxy in Front of Everything

F5 does not ship out-of-band patches lightly. On 17 June 2026 it did exactly that, fixing two critical NGINX vulnerabilities — CVE-2026-42530 and CVE-2026-42055, both rated CVSS 9.2 — outside the normal release cadence, as BleepingComputer reported. Both are reachable by a remote, unauthenticated attacker. Both corrupt memory inside the NGINX worker process. And NGINX is not an appliance sitting at the edge of someone else's network — by W3Techs' running survey it serves 32.8% of all websites with a known web server as of April 2026, the single most-deployed web server and reverse proxy on the internet. An unauthenticated memory-corruption bug in that role is the worst-placed bug there is, and it is worth being precise about why.

What CVE-2026-42530 and CVE-2026-42055 actually do

The two flaws hit different protocol paths but share a property: the attacker never authenticates, and the corruption lands in the worker process that terminates client connections.

CVE-2026-42530 is a use-after-free in ngx_http_v3_module, the HTTP/3 implementation in NGINX Open Source. A crafted HTTP/3 session reopens a QPACK encoder stream that should already be closed; NGINX continues to reference the freed stream state, corrupting memory in the worker. The reliable outcome is a worker crash and restart — a denial of service. The unreliable but real outcome, per the NGINX security advisory, is arbitrary code execution under specific conditions, principally where ASLR is disabled or can be bypassed.

CVE-2026-42055 is a heap-based buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module, affecting both NGINX Open Source and NGINX Plus. It is reachable specifically when NGINX proxies to an upstream over HTTP/2 — proxy_http_version 2 or grpc_pass — with ignore_invalid_headers off and large_client_header_buffers set above 2 MB. Under that configuration a remote, unauthenticated attacker sends oversized or malformed headers, and NGINX overflows the heap while constructing the upstream request. This is the more interesting of the two from an attacker's standpoint, because the corruption happens on the outbound path — the moment NGINX turns a client request into a backend request — which is exactly the trusted seam most architectures never think to defend.

F5 fixed both in NGINX Open Source 1.30.3 and 1.31.2, with corresponding NGINX Plus and Gateway Fabric releases. At time of writing there is no confirmed exploitation in the wild. That is the part that matters most, and the part most likely to be misread.

The ASLR caveat is not the reassurance it sounds like

The HTTP/3 advisory carries a qualifier that has already started doing comfort work in security-team Slack channels: full code execution requires ASLR to be disabled or bypassed; otherwise you "only" get a crash. It is worth saying clearly what that does and does not buy you.

"It's only a DoS unless ASLR is off, and our ASLR is on."

ASLR raises the cost of turning memory corruption into code execution. It does not make it impossible, and the history of NGINX worker exploitation is a history of researchers chaining an information leak to an overflow to defeat exactly this mitigation. More to the point, the fallback outcome is a remote, unauthenticated crash of the process that terminates every client connection. For a reverse proxy fronting a payment flow, an API gateway, or a regulated service, an attacker who can deterministically restart your worker pool at will is not a footnote — it is an availability incident under NIS2 and DORA, and it is a precondition the same attacker can iterate on toward the harder target. "Only a DoS" is doing a lot of load-bearing work in that sentence.

Why the reverse proxy is the worst place for this

A reverse proxy occupies a structural position that turns an ordinary memory bug into a category problem. Three properties stack:

• It is internet-facing by definition. The whole job of NGINX in this role is to accept untrusted connections from anyone. There is no network segmentation to hide behind — the attack surface is the public internet, deliberately.
• It sees plaintext. The proxy terminates TLS, which means it handles every request and response in the clear, including the ones your application layer encrypts end-to-end from the browser. Code execution here is code execution with a view of all of it.
• It is trusted by everything behind it. Your WAF rules, your application's authentication, your service mesh's mTLS — they frequently treat traffic from the proxy as already-vetted. An attacker running code inside the worker is positioned on the trusted side of all of them, with credentials and upstream connections already established.

That is the same uncomfortable lesson the rest of 2026's edge-infrastructure disclosures keep teaching, and it rhymes with the HTTP/2 resource-exhaustion class we wrote about earlier: the protocol-handling code at the perimeter is both the most exposed and the most trusted, and those two facts are in permanent tension.

The detection and remediation gap a quarterly pentest leaves open

Here is the operational problem CVE-2026-42055 in particular creates. The vulnerable condition is not "you run NGINX." It is "you run NGINX and you proxy HTTP/2 upstream and ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB." Whether any given environment is exploitable is a function of configuration, and configuration drifts continuously — a platform team raises a buffer limit to fix a legitimate large-header upstream, and silently moves an asset from safe to exploitable months after the CVE was "handled."

Map that against how most organisations validate:

Validation model	What it sees for CVE-2026-42055
Version scanner	Flags NGINX below 1.30.3 — but cannot tell whether this instance's config is in the reachable state
Annual / quarterly pentest	A point-in-time snapshot; the config that makes you vulnerable may not exist on test day, then appear next week
Patch dashboard	Green once the package is updated — silent on the live config that re-introduces risk on drift
Behavioural validation	Actually sends the malformed HTTP/2 upstream sequence against the running config and observes whether the worker corrupts

A scanner that reads a version string and a pentest that runs once a quarter both answer a question adjacent to the one that matters. The question that matters — can an attacker reach the heap overflow against this proxy, in its current configuration, today? — is a behavioural question, and it has a behavioural answer only if something keeps asking it.

How Zero Hunt approaches an unauthenticated proxy RCE

This is the scenario the Zero Hunt platform's first pillar — the AI Generative Pentest — is built to close. The 10-agent swarm does not check a version string and move on. For a flaw like CVE-2026-42530 or CVE-2026-42055, the Exploit agent writes a per-target exploit against the proxy as it is actually configured: it reconstructs the malformed HTTP/3 QPACK reopen or the oversized HTTP/2 upstream header sequence and fires it at your NGINX, then the Recon and Pivot agents map what code execution in that worker would actually reach behind it. Every exploit is generated locally by the on-prem LLM and runs in an ephemeral, gVisor-hardened container, so probing your production-shaped proxy never touches the host. Before any such technique reaches a customer environment it is backtested in the AI Gym against the Vulhub and Vulhub-Bench corpora, so the engine is validating with a method that has already been proven against known-CVE black-box targets rather than improvising.

Because NGINX configuration drifts, the cadence is the point. A change-triggered campaign re-runs the check when a new perimeter asset appears or a config changes — the difference between knowing you were safe on test day and knowing you are safe now. Each finding is ECDSA-signed at write time, so when the auditor or the cyber-insurer asks "prove the reverse proxy fronting the payment flow was not exploitable on the day of the incident," the answer is a verifiable evidence record, not a recollection.

And for the window before a per-target exploit can be written and run, Zero Hunt's second pillar — the AI Traffic Analysis model — watches the wire. Its four inference heads, running locally on the appliance GPU at multi-gigabit line rate, are trained to flag exactly the traffic shape these flaws require: anomalous HTTP/3 QPACK stream behaviour, oversized or malformed header sequences hitting an upstream path, and the worker-process anomalies that follow a successful corruption — while it is happening, not in the next morning's SIEM digest. CVE-2026-42530 and CVE-2026-42055 have no confirmed in-the-wild exploitation yet. The reverse proxy is the wrong place to find out the hard way that they do.

If continuous, evidence-backed validation of your internet-facing edge is the gap, that is the conversation to start here.