CVE-2026-42530

Name of the Vulnerable Software and Affected Versions NGINX Open Source versions 1.31.0 through 1.31.1

Description A use-after-free flaw exists in the ngx http v3 module module when NGINX Open Source is configured to use the HTTP/3 QUIC module. A remote unauthenticated attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream, which may cause the NGINX worker process to restart, resulting in a denial of service. Additionally, this issue can lead to remote code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—is disabled or can be bypassed. Exploitation depends on certain conditions beyond the attacker's control.

Recommendations Update to version 1.31.2. As a temporary workaround, consider disabling the ngx http v3 module module to minimize the risk of exploitation.