CVE-2026-42530 – Nginx HTTP3/QUIC Use-After-Free(my.f5.com)

5 pointsby kro7 hours ago1 comment

cpburns20096 hours ago
I mentioned this in a previous post for this CVE. How much heavy lifting is the phrase "along with conditions beyond their control" doing for this exploit?
> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.
- ValdikSSan hour ago
  It's an RCE
  https://x.com/nebusecurity/status/2067623683427045541
- kro6 hours ago
  These commits [1] are related to the issue. I am not too familiar with the code, but it appears nginx manages/closes streams in a pool at times the attacker cannot control, and during short windows, it is vulnerable.
  [1]:
  https://github.com/nginx/nginx/commit/ceccdbd2ee799d020a371b...
  https://github.com/nginx/nginx/commit/9e293766e73c469c015df5...