hypeorhack
← back

CVE-2026-42055

EPSS 0.6%
hype LIKELY HACK · 72 hack

F5 emergency patch signal + CVSS 9.2 credible; no KEV listing or PoC confirmation yet; early-stage remediation cycle.

What: Heap buffer overflow in NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module (F5 NGINX Plus and Open Source); CVSS 9.2, allows unauthenticated RCE or DoS.

Why it matters: F5 released emergency out-of-band patches within days of disclosure (June 17–19, 2026). CVSS 9.2 critical severity, affects widely-deployed reverse proxy infrastructure. Multiple sources confirm active patching and defender awareness; social chatter reflects urgent vendor response.

Where it's seen: News aggregator coverage (TheHackerNews, CyberSecGuru), security bulletin republication, multi-CVE bundle discussions alongside CVE-2026-42530 (HTTP/3 QPACK use-after-free). Chatter emphasizes "emergency patch" and unauthenticated RCE risk.

RISK: CRITICAL — CVSS 9.2, unauthenticated RCE, widely-deployed NGINX, F5 emergency patching underway.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/19/2026, 4:59:31 PM

No NVD details ingested for this CVE yet.