CVE-2026-42530
HighCVSS 8.1Exploitation Probability (EPSS)
High risk87th percentile — higher than 87% of all known CVEs
Summary
NGINX Open Source has a vulnerability in the ngx_http_v3_module. When configured with the HTTP/3 QUIC module, a remote unauthenticated attacker, under specific conditions, can use a crafted HTTP/3 session to reopen a QPACK encoder stream, causing a Use-after-Free in the NGINX worker process and a restart. On systems with ASLR disabled or bypassed, code execution is possible.
Risk Assessment
The risk includes service disruption due to worker process restarts and potential remote code execution in environments with weakened ASLR, which could lead to server compromise.
Recommendation
Immediately update NGINX Open Source to a patched version for CVE-2026-42530 and enable ASLR on all production systems.
Original NVD description (English source)
NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

