HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-42530Published Modified CNA f5

CVE-2026-42530: NGINX Open-Source ngx_http_v3_module vulnerability

NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This may cause a Use-after-Free in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
1.31.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the ngx_http_v3_module of NGINX Open Source (versions 1.31.0 up to 1.31.2). A remote, unauthenticated attacker can send a specially crafted HTTP/3 QUIC session to reopen a QPACK encoder stream, triggering the bug. Successful exploitation causes a worker-process crash, and on systems where ASLR is disabled or can be bypassed, the attacker achieves remote code execution. A patched-image rebuild at version 1.31.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle an affected NGINX Open Source release. Any image containing ngx_http_v3_module at a vulnerable version (1.31.0 to below 1.31.2) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.2 Critical using the v4.0 vector and weights it against each environment's compliance policy to determine urgency and assignment. Triage results are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at NGINX Open Source 1.31.2 is available on HarborGuard for any environment whose scanned images contain an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the NGINX service over the network by sending a crafted HTTP/3 QUIC session to an exposed listener.

  • AuthenticationNot required

    No account or credential is needed; the exploit is available to any unauthenticated remote client.

  • Victim interactionNot required

    The attacker interacts directly with the NGINX service and no user action is required to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation requires conditions beyond the attacker's direct control (such as ASLR being disabled or separately bypassed), making reliable code execution dependent on environmental factors rather than a straightforward, condition-free exploit path.

Blast Radius

  • Crashes the targeted NGINX worker process, forcing a restart and interrupting in-flight HTTP/3 connections.
  • On systems with ASLR disabled or where the attacker can bypass ASLR, executes arbitrary code in the context of the NGINX worker process.
  • Compromises confidentiality of data handled by the worker, including proxied request and response content in memory at the time of exploitation.
  • Allows modification of in-memory state within the worker process, potentially corrupting responses served to other active clients.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42530 is active across all scanning environments and flags any image containing NGINX Open Source between 1.31.0 and below 1.31.2 with HTTP/3 QUIC support compiled in. A rebuild at the fixed version 1.31.2 is available for affected images. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, runs regression tests, and opens a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version detail so teams can act manually. As a compensating control prior to patching, customers can apply network policy to restrict HTTP/3 (UDP/443) exposure to trusted sources only, reducing the attack surface while the image rebuild is prepared.

See how HarborGuard automates this

Fix available

1.31.2
Affected packages
  • F5 / NGINX Open Source
    < 1.31.2 (from 1.31.0)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References