- nginx
- zero-day
- rce
- cve
- quic
news
Nginx HTTP/3 QUIC Zero-Day (CVE-2026-42530)
Remote code execution in NGINX Open Source 1.31.0–1.31.1 when HTTP/3 QUIC is enabled; patched in 1.31.2.
Summary
Nebula Security disclosed CVE-2026-42530, a remote code execution vulnerability in NGINX Open Source v1.31.0 and v1.31.1 when the HTTP/3 QUIC module is enabled. NGINX issued v1.31.2 as the patched release. This marks the third "major" rated nginx vulnerability since 2014 — a rarity for a project whose attack surface is typically considered narrow when default configurations are maintained.
Fortune 500 exposure has been reported in passive scanning datasets. Treat as actively exploitable until patched or QUIC is disabled.
Vulnerability Details
CVE-2026-42530
| Field | Value |
|---|---|
| CVE | CVE-2026-42530 |
| CVSS | 9.8 (Critical) — network attack, no auth |
| Affected | NGINX Open Source 1.31.0, 1.31.1 |
| Fixed | NGINX Open Source 1.31.2+ |
| Module | ngx_http_v3_module (QUIC/HTTP3) |
| Default | Not enabled by default |
Root Cause
Memory corruption in QUIC stream handling during HTTP/3 request processing. Malformed QUIC packets trigger an out-of-bounds write in the HTTP/3 framing layer — reachable pre-authentication over UDP/443 (QUIC) without TLS application data decryption in certain code paths.
Key constraint: The vulnerability exists only when administrators explicitly enable HTTP/3:
listen 443 quic reuseport;
listen 443 ssl;
http3 on;
Installations using HTTP/1.1 or HTTP/2 only (no quic listener directive) are not affected.
Attack Prerequisites
- Target exposes QUIC on UDP/443
- NGINX version 1.31.0 or 1.31.1
- No user interaction required
- Exploit sends crafted QUIC Initial/Handshake packets
Exposure Landscape
Shodan and Censys queries for nginx + HTTP/3 response headers show thousands of internet-facing instances. Enterprise CDN configurations increasingly enable QUIC for latency optimization — many operators adopted 1.31.x for official HTTP/3 support without tracking patch velocity.
High-risk sectors: E-commerce, SaaS API gateways, media streaming, gaming backends.
Impact
Successful exploitation grants remote code execution as the nginx worker process user (typically www-data or nginx). From worker context:
- Read application secrets in environment and config files
- Pivot to backend services via internal network routes
- Install web shells if write permissions exist on web roots
- Container escape if nginx runs with excessive capabilities
Mitigation
Immediate (choose one)
- Upgrade to NGINX 1.31.2 or later — preferred path.
- Disable QUIC/HTTP3 — remove
quiclistener andhttp3 ondirectives until patched. - UDP/443 firewall block — if QUIC is not intentionally required, block inbound UDP 443 at perimeter.
Hardening
- Run nginx workers as unprivileged users with minimal filesystem write access
- Separate nginx from database credentials via secret management sidecars
- Deploy WAF/CDN QUIC termination with vendor-managed patch cycles
- Monitor for anomalous UDP/443 volume to nginx origins
Timeline
| Date | Event |
|---|---|
| 2026-06-16 | Nebula Security reports vulnerability to NGINX |
| 2026-06-18 | Public disclosure; CVE-2026-42530 assigned |
| 2026-06-18 | NGINX 1.31.2 release with fix |
| 2026-06-18 | Hacker News discussion; Fortune 500 exposure claims |
Sources
- Hacker News — CVE-2026-42530 discussion
- NGINX security advisories
- Nebula Security disclosure (referenced in community coverage)