F5 Patches Critical, High-Severity NGINX Vulnerabilities

F5 released patches for critical unauthenticated RCE and DoS vulnerabilities in NGINX (CVE-2026-42530, CVE-2026-42055) affecting NGINX Plus, Controller, and related products. Attackers can exploit heap buffer overflows and use-after-free flaws without credentials to crash services or execute arbitrary code. High-severity configuration injection bugs in NGINX Gateway Fabric pose additional risk for authenticated attackers.

CRITICALAdvisoryJun 18, 2026

Action required

Immediately inventory all NGINX deployments in your environment. Prioritize patching NGINX Plus and NGINX Controller to latest versions. Monitor for exploitation attempts targeting these CVEs and check logs for suspicious config injection patterns in Gateway Fabric instances.

Affected products

F5NGINXNGINX PlusNGINX Open SourceNGINX Gateway Fabric

CVE IDs

CVE-2026-42530 CVE-2026-42055

Linked articles

F5 Patches Critical, High-Severity NGINX Vulnerabilities

Source links

https://www.securityweek.com/f5-patches-critical-high-severity-nginx-vulnerabilities/