CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free

my.f5.com

7 points by kro 3 days ago · 4 comments

Reader

cpburns2009 3 days ago

I mentioned this in a previous post for this CVE. How much heavy lifting is the phrase "along with conditions beyond their control" doing for this exploit?

> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.

kroOP 3 days ago

These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.
[1]:
https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...
https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...
ValdikSS 2 days ago

It's an RCE
https://x.com/nebusecurity/status/2067623683427045541

kroOP 2 days ago

Only 1.31.0 and 1.31.1 are affected.

Settings

CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free

Keyboard Shortcuts