F5 released patches for two critical remote code execution vulnerabilities in NGINX Open Source. CVE-2024-42530 carries a CVSS v4 score of 9.2 and involves a use-after-free flaw in the ngx_http_v3_module. Remote unauthenticated attackers can trigger this vulnerability when NGINX Open Source processes HTTP/3 traffic, potentially executing arbitrary code on affected systems.
The second vulnerability details remain incomplete in available reporting, but both flaws warrant immediate patching across NGINX Open Source deployments. Use-after-free vulnerabilities typically arise when code references memory that has already been freed, creating conditions for memory corruption and code execution.
NGINX Open Source powers web infrastructure globally, handling millions of requests daily across enterprises, hosting providers, and internet-facing applications. Organizations running vulnerable versions face direct exposure to remote code execution attacks requiring no credentials. Attackers can exploit these flaws to gain shell access, establish persistence, exfiltrate data, or deploy malware.
The HTTP/3 protocol adoption continues expanding, making the ngx_http_v3_module increasingly common in production deployments. Networks relying on NGINX for reverse proxying, load balancing, or web serving should prioritize identifying affected versions and deploying patches immediately.
F5's advisory recommends administrators update to patched NGINX Open Source releases. Organizations should verify their current NGINX versions against F5's official security advisory, test patches in staging environments, and schedule updates during maintenance windows. For systems unable to update immediately, network segmentation and Web Application Firewall rules may provide temporary mitigation.
The CVSS v4 score of 9.2 reflects the remote, unauthenticated attack vector combined with complete system compromise potential. Organizations managing customer-facing web infrastructure face particular risk, as compromise could expose sensitive