F5 releases out-of-band patches for two critical NGINX bugs

F5 on June 17 released out-of-band security patches to address multiple NGINX web server vulnerabilities, two of them critical.

The two critical vulnerabilities were CVE-2026-42530 and CVE-2026-42055, bugs that unauthenticated remote attackers can exploit to trigger a denial-of-service (DoS) attack or code execution on NGINX systems.

This out-of-band move by F5 comes on the heels of the company about a month ago facing an active exploitation situation that revolved around NGINX systems being targeted.

These security issues around NGINX are a concern because it runs in front of one-third of all websites worldwide and has been a trusted product for decades. First released in October 2004 as an open source product, F5 officially completed its acquisition of NGINX in May 2019.

Security pros welcomed the recent move by F5.

"It’s encouraging to see F5 trying to get ahead of potential exploitation by releasing these patches out-of-band,” said Matan Shavit, GM for North America for Hadrian. “Large vendors like F5 usually bundle security updates into standardized patching and feature release cycles, making them easier for IT and security teams to plan for and monitor. While an out-of-band release may be disruptive for those teams, we’re entering an era where attackers are exploiting vulnerabilities increasingly quickly, and vendors need to adapt.”

Shavit said it’s exactly the type of response he’d like to see more vendors adopt: issue patches and mitigation guidance as soon as possible rather than waiting for the next scheduled release.

“It’s a shift in how the wider industry should respond to vulnerabilities that could be exploited, and organizations will need to evolve their own operational practices to match,” said Shavit. “If we want to limit the damage threat actors can do, we can’t rely solely on predictable patching schedules when exploitation timelines are measured in hours and even minutes."

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that NGINX has become an attractive target because it frequently serves as a reverse proxy, load balancer, or web server for internet-facing applications, placing it in a position where a successful compromise can have significant downstream impact.

“It’s difficult to determine whether vulnerabilities are becoming more common or whether increased scrutiny of widely deployed infrastructure is leading to more discoveries and disclosures,” said Ursry. “Either way, vulnerabilities impacting technologies that are widely adopted tend to receive significant attention due to their potential impact across enterprise environments. Out-of-band patches typically indicate a vendor believes the risk warrants immediate action, even if active exploitation has not been publicly observed.”