Description
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-06-17
Score: 9.2 Critical
EPSS: 3.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the NGINX Open Source ngx_http_v3_module. An unauthenticated attacker can craft a special HTTP/3 session to reopen a QPACK encoder stream, which leads to use of uninitialized memory inside the worker process. When Address Space Layout Randomization is disabled or bypassed, this flaw can be turned into code execution on the affected system.

Affected Systems

Affects all NGINX Open Source installations provided by F5 that enable the HTTP/3 QUIC module and load the ngx_http_v3_module. No specific product version is listed, but any instance configured with the module is potentially vulnerable. End‑of‑support releases are not evaluated and therefore are considered outside the scope of this assessment.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity weakness, but the EPSS score of 2% indicates exploitation is unlikely and low probability. The flaw is not listed in CISA’s KEV catalog. Attackers must be able to send malicious HTTP/3 traffic and control the QUIC connection; they also need the target to be running with ASLR disabled or to bypass ASLR to gain code‑execution capability.

Generated by OpenCVE AI on June 24, 2026 at 12:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest NGINX patch or upgrade to a supported release that addresses the ngx_http_v3_module use‑after‑free flaw.
  • If HTTP/3 is not required, disable the QUIC module or remove the ngx_http_v3_module from the configuration to eliminate the attack surface.
  • Ensure that Address Space Layout Randomization is enabled on the system, or re‑enable it if it has been turned off, to reduce the likelihood that the flaw leads to code execution.

Generated by OpenCVE AI on June 24, 2026 at 12:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
Vendors & Products F5
F5 nginx Open Source

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX Open-Source ngx_http_v3_module vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

F5 Nginx Open Source
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-30T12:08:40.670Z

Reserved: 2026-06-02T21:45:04.719Z

Link: CVE-2026-42530

cve-icon Vulnrichment

Updated: 2026-06-30T12:08:40.670Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T14:04:32Z

Links: CVE-2026-42530 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses