CVE-2026-42530

Name of the Vulnerable Software and Affected Versions NGINX Open Source versions 1.31.0 through 1.31.1

Description A use-after-free flaw exists in the ngx http v3 module module when the software is configured to use the HTTP/3 QUIC module. A remote unauthenticated attacker can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream, which may cause the NGINX worker process to restart. This issue can also lead to code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—is disabled or bypassed. Exploitation depends on conditions beyond the attacker's control.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.