CVE-2026-42530

This vulnerability is in NGINX’s HTTP/3 “front door” (QUIC). If HTTP/3 is turned on, a remote person can send a specially made “conversation” that can cause NGINX to mishandle memory, which can restart the service; in some cases, it may be possible to go further depending on system protections like ASLR. Think of it like a server that has a bug in how it processes a particular type of handshake—certain crafted handshakes can cause the server to fall over.

This matters to you if you use or run F5 NGINX Open Source with the HTTP/3 QUIC module enabled. If you do not use HTTP/3 (or don’t have the QUIC module configured), you may not be exposed to this specific issue. The problem is specifically described for NGINX Open Source’s ngx_http_v3_module, not for every NGINX setup.

This is an AMBER issue because the bug is new and tied to an externally reachable feature (HTTP/3), and it can at minimum cause NGINX worker restarts. There is no public exploit and no known exploited-in-the-wild reporting provided here, so it is not an immediate “everyone is being attacked right now” situation—but you should patch promptly to prevent disruption and reduce the chance of more advanced misuse.

1. Check whether your F5 NGINX Open Source is configured with the HTTP/3 QUIC module (ngx_http_v3_module). 2) Update NGINX Open Source to the patched version your vendor provides (ask your IT/NGINX maintainer to confirm the exact target version). 3) After updating, verify HTTP/3 is still configured as intended and monitor NGINX for restarts or unusual HTTP/3 traffic.