F5 Patches Two CVSS 9.2 Unauthenticated RCEs in NGINX Open Source Affecting QUIC and HTTP/2 Proxy Paths

Both flaws require non-default configurations yet carry 9.2 CVSS scores because they allow unauthenticated attackers to achieve code execution on systems where ASLR is disabled or bypassable. Affected builds span NGINX Open Source 1.30.0-1.31.1, multiple Ingress Controller releases, and NGINX Gateway Fabric versions still deployed in production. F5 lists mitigations but provides no evidence of in-the-wild exploitation at disclosure.

NGINX Open Source underpins a documented majority of internet-facing load balancers and reverse proxies according to multiple web server surveys. The requirement for ignore_invalid_headers off plus large_client_header_buffers exceeding 2 MB in CVE-2026-42055 creates a narrow but realistic attack surface inside containerized environments that reuse default or copied configurations. Prior CVE-2026-42945 exploitation within days of disclosure shows the pattern of rapid weaponization once details surface.

Procurement records and job postings from major CDNs and government agencies continue to specify NGINX-based ingress without corresponding patch cadence tracking. The split between Open Source and NGINX Plus support windows leaves the larger installed base exposed longer. No public SBOM or dependency attestation from downstream vendors has surfaced to quantify blast radius.

Operators should audit HTTP/3 and proxy_http_version 2 deployments immediately; expect public exploit code within two weeks based on the prior Rift timeline.