Security Advisory - Published 2026-06-18 - NGINX Edge

NGINX June 2026 CVEs: check HTTP/2 proxy, gRPC, and HTTP/3 exposure

CVE-2026-42055 and CVE-2026-42530 affect NGINX configurations tied to HTTP/2 proxying, gRPC handling, or HTTP/3 QUIC. Edge nodes should be patched and reviewed before relying on uptime alone as a clean signal.

Defensive scope: this page covers version, module, config, and log review for owned NGINX servers and approved edge maintenance.

Owner self-check

nginx -v
nginx -V 2>&1 | tr ' ' '\\n' | egrep 'http_v3|grpc|http_v2|quic|proxy'
grep -R "http2\\|http3\\|quic\\|grpc_pass\\|proxy_http_version" /etc/nginx 2>/dev/null
journalctl -u nginx --since "2026-06-17" --no-pager | tail -200

What to review

  • Public server blocks with HTTP/2, HTTP/3, QUIC, gRPC, or upstream proxying enabled.
  • Recent worker crashes, reload failures, upstream resets, and edge error spikes.
  • CDN or load balancer paths that still reach an older NGINX node after patching one tier.
  • Unexpected config drift between primary and standby edge nodes.

Safe fix path

  1. Apply the relevant F5 NGINX or distro security update.
  2. Patch all edge nodes in the same pool, then reload and confirm the running binary version.
  3. Temporarily disable HTTP/3 or public gRPC exposure if patching must be staged.
  4. Review logs for instability before reopening high-risk traffic paths.

Repair help

Use Ping7 CVE Repair if the edge tier is public, config is shared across several hosts, or logs show worker crashes and unexplained traffic around the advisory window.

References