CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free (opens in new tab)

(my.f5.com)

7 pointskro8d ago4 comments

4 comments

4 comments · 2 top-level

cpburns20098d ago· 2 in thread

I mentioned this in a previous post for this CVE. How much heavy lifting is the phrase "along with conditions beyond their control" doing for this exploit?

> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.

kroOP8d ago

These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.

[1]:

https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...

https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...

ValdikSS8d ago

It's an RCE

https://x.com/nebusecurity/status/2067623683427045541

kroOP8d ago

Only 1.31.0 and 1.31.1 are affected.

j / k navigate · click thread line to collapse