Description
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-06-17
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the NGINX Open Source ngx_http_v3_module. An unauthenticated attacker can craft a special HTTP/3 session to reopen a QPACK encoder stream, which leads to an uninitialized memory use inside the worker process. When Address Space Layout Randomization is disabled or bypassed, this flaw can be turned into code execution on the affected system.

Affected Systems

The flaw affects all NGINX Open Source deployments that enable the HTTP/3 QUIC module and load the ngx_http_v3_module. No specific product version is listed, but any instance configured with the module is potentially vulnerable. End‑of‑support releases are not evaluated and therefore are considered outside the scope of this assessment.

Risk and Exploitability

The CVSS score of 9.2 indicates a high‑severity weakness, but the EPSS score of <1% shows that exploitation is expected to be rare. The flaw is not listed in CISA’s KEV catalog. Attackers must be able to send malicious HTTP/3 traffic and control the QUIC connection; they also need the target to be running with ASLR disabled or to bypass ASLR to gain code‑execution capability.

Generated by OpenCVE AI on June 18, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest NGINX patch or upgrade to a supported release that addresses the ngx_http_v3_module use‑after‑free flaw.
  • If HTTP/3 is not required, disable the QUIC module or remove the ngx_http_v3_module from the configuration to eliminate the attack surface.
  • Ensure that Address Space Layout Randomization is enabled on the system, or re‑enable it if it has been turned off, to reduce the likelihood that the flaw leads to code execution.

Generated by OpenCVE AI on June 18, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
Vendors & Products F5
F5 nginx Open Source

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX Open-Source ngx_http_v3_module vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

F5 Nginx Open Source
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-06-18T03:57:47.803Z

Reserved: 2026-06-02T21:45:04.719Z

Link: CVE-2026-42530

cve-icon Vulnrichment

Updated: 2026-06-17T15:43:34.568Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:15Z

Weaknesses