Primary

Context

NGINX Plus and NGINX Open Source HTTP/3 QUIC Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in NGINX Plus and NGINX Open Source versions 1.25.0 prior to 1.25.4, and 1.26.0, when the experimental HTTP/3 QUIC module is enabled. Undisclosed requests can cause NGINX worker processes to crash, disrupting traffic until the process restarts.

Impact

Exploitation of this vulnerability leads to a crash of the NGINX worker process, causing a temporary disruption in service until the process is restarted.

Remediation

Users can upgrade to NGINX versions 1.25.4 or 1.27.0. If using NGINX Plus, refer to the NGINX Plus release notes for the appropriate version. For NGINX Open Source, version 1.25.4 includes the fix. Alternatively, the HTTP/3 module can be disabled in the NGINX configuration.

Added: Mar 11, 2026, 7:02 PM

Updated: Mar 11, 2026, 7:02 PM

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

0.6

exploitability

7.6

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.4

impact

0.6

exploitability

7.6

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NGINX Plus and NGINX Open Source HTTP/3 QUIC Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

F5 NGINX OSS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating