F5 NGINX OSS
Easy fix3 remedies
cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*, +1 more
Easy fix3 remedies
- >= 1.25.0, <= 1.26.0
NGINX Plus and NGINX Open Source HTTP/3 QUIC Memory Leak Vulnerability
Vulnerability
Patched
A memory leak vulnerability has been identified in NGINX Plus and NGINX Open Source when the HTTP/3 QUIC module is enabled. This issue occurs on systems with a Maximum Transmission Unit (MTU) of 4096 bytes or greater, where undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. The vulnerability affects NGINX versions 1.25.0 through 1.26.0, and is present in NGINX Plus by default, while in NGINX Open Source it requires the HTTP/3 QUIC module to be manually enabled.
Impact
Exploitation of this vulnerability leads to a memory leak in NGINX worker processes, causing them to disclose previously freed memory. The leaked memory is random, cannot be controlled by an attacker, and does not include NGINX configuration or private keys.
Remediation
Users can upgrade to NGINX versions 1.27.0 or 1.26.1 to address this vulnerability. For NGINX Plus users, the update is available in version R32.
Added: Mar 11, 2026, 6:40 PM
Updated: Mar 11, 2026, 6:40 PM
Vulnerability Rating
Custom Algorithm
spread
9.4impact
0.6exploitability
7.2remediation
7.9relevance
0.0threat
0.0urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.