F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution

F5 released security updates on March 18, 2026, to patch two critical vulnerabilities in NGINX Open Source that allow for remote code execution. The first vulnerability, CVE-2026-42530, is a use-after-free flaw within the ngx_http_v3_module, carrying a CVSS v4 score of 9.2. This flaw can be exploited by a remote, unauthenticated attacker when NGINX Open Source is configured to use HTTP/3. The second vulnerability, CVE-2026-42531, is a buffer overflow issue in the ngx_http_proxy_module, also rated critical with a CVSS v4 score of 9.2. This vulnerability can be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to use the HTTP/2 protocol. Successful exploitation of either vulnerability could allow an attacker to execute arbitrary code on the affected server, potentially leading to a complete system compromise. F5 advises users to update their NGINX Open Source installations to the latest versions to mitigate these risks. The company has provided specific patch versions for each vulnerability, urging immediate application to prevent potential exploitation. These patches are crucial for maintaining the security and integrity of web servers running NGINX Open Source.