Security Advisory - Published 2026-06-18 - NGINX Edge
NGINX June 2026 CVEs: check HTTP/2 proxy, gRPC, and HTTP/3 exposure
CVE-2026-42055 and CVE-2026-42530 affect NGINX configurations tied to HTTP/2 proxying, gRPC handling, or HTTP/3 QUIC. Edge nodes should be patched and reviewed before relying on uptime alone as a clean signal.
Owner self-check
nginx -v
nginx -V 2>&1 | tr ' ' '\\n' | egrep 'http_v3|grpc|http_v2|quic|proxy'
grep -R "http2\\|http3\\|quic\\|grpc_pass\\|proxy_http_version" /etc/nginx 2>/dev/null
journalctl -u nginx --since "2026-06-17" --no-pager | tail -200 What to review
- Public server blocks with HTTP/2, HTTP/3, QUIC, gRPC, or upstream proxying enabled.
- Recent worker crashes, reload failures, upstream resets, and edge error spikes.
- CDN or load balancer paths that still reach an older NGINX node after patching one tier.
- Unexpected config drift between primary and standby edge nodes.
Safe fix path
- Apply the relevant F5 NGINX or distro security update.
- Patch all edge nodes in the same pool, then reload and confirm the running binary version.
- Temporarily disable HTTP/3 or public gRPC exposure if patching must be staged.
- Review logs for instability before reopening high-risk traffic paths.
Repair help
Use Ping7 CVE Repair if the edge tier is public, config is shared across several hosts, or logs show worker crashes and unexplained traffic around the advisory window.