CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free(my.f5.com)
my.f5.com
CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free
https://my.f5.com/manage/s/article/K000161616
4 comments
These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.
[1]:
https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...
https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...
[1]:
https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...
https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...
Only 1.31.0 and 1.31.1 are affected.
> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.