Critical NGINX Vulnerability "nginx-poolslip" Exposes Millions of Servers to Remote Attacks
A newly disclosed high-severity vulnerability in NGINX, tracked as CVE-2026-9256 (dubbed nginx-poolslip), is forcing administrators into an emergency patch cycle. The flaw affects both NGINX Open Source (versions 0.1.17–1.30.1 and 1.31.0) and NGINX Plus (R32–R36 and 37.0.0), enabling remote, unauthenticated attackers to exploit it over plain HTTP.
The vulnerability resides in the ngx_http_rewrite_module, the same component targeted in the earlier "NGINX Rift" flaw (CVE-2026-42945). It occurs when a rewrite directive uses regex patterns with overlapping PCRE capture groups (e.g., ^/((.*))$) paired with replacement strings referencing multiple captures (e.g., $1$2). This triggers a heap buffer overflow (CWE-122) in the NGINX worker process, potentially leading to control-flow hijacking via manipulated memory pool cleanup handlers.
Unlike the Rift bug which exploited a buffer-size miscalculation nginx-poolslip abuses a pointer "slip" across adjacent linked structures in the same memory pool, bypassing the previous patch. Exploitation can result in denial-of-service (DoS) crashes or, in environments with disabled ASLR or bypassable protections, remote code execution (RCE). The flaw is rated High (8.1 CVSS v3.1) and Critical (9.2 CVSS v4.0).
Affected Systems & Mitigations
The vulnerability impacts a vast footprint, including reverse proxies, API gateways, and Kubernetes ingress controllers. Fixed versions include:
- NGINX Open Source: Upgrade to 1.30.2 or 1.31.1.
- NGINX Plus: Update to R36 P5, R32 P7, or R37.0.1.1.
Downstream products such as NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF/DoS), NGINX Gateway Fabric, and NGINX Ingress Controller inherit the vulnerability but lack immediate fixes. The 0.x branch of NGINX Open Source will not receive patches.
As a temporary workaround, F5 recommends replacing unnamed regex captures with named captures (e.g., rewrite (?<user_id>.*) instead of $1).
The flaw was discovered by Mufeed VH (Winfunc Research), Nebula Security, and Vexera AI, with proof-of-concept exploits already circulating. No control-plane exposure exists; the issue is confined to the data plane.
Source: https://cybersecuritynews.com/nginx-poolslip-vulnerability/
NGINX Plus TPRM report: https://www.rankiteo.com/company/nginx
F5 TPRM report: https://www.rankiteo.com/company/f5
NGINX Open Source TPRM report: https://www.rankiteo.com/company/nginx
"id": "f5ngi1779539045",
"linkid": "f5, nginx",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions of servers',
'industry': 'Technology/Internet Infrastructure',
'name': 'NGINX Open Source',
'type': 'Software'},
{'industry': 'Technology/Internet Infrastructure',
'name': 'NGINX Plus',
'type': 'Software'},
{'industry': 'Technology/Internet Infrastructure',
'name': 'NGINX Instance Manager',
'type': 'Software'},
{'industry': 'Cybersecurity',
'name': 'F5 WAF for NGINX',
'type': 'Software'},
{'industry': 'Cybersecurity',
'name': 'NGINX App Protect (WAF/DoS)',
'type': 'Software'},
{'industry': 'Technology/Internet Infrastructure',
'name': 'NGINX Gateway Fabric',
'type': 'Software'},
{'industry': 'Technology/Internet Infrastructure',
'name': 'NGINX Ingress Controller',
'type': 'Software'}],
'attack_vector': 'Remote, unauthenticated HTTP requests',
'description': 'A newly disclosed high-severity vulnerability in NGINX, '
'tracked as CVE-2026-9256 (dubbed *nginx-poolslip*), affects '
'both NGINX Open Source (versions 0.1.17–1.30.1 and 1.31.0) '
'and NGINX Plus (R32–R36 and 37.0.0). The flaw enables remote, '
'unauthenticated attackers to exploit it over plain HTTP, '
'leading to heap buffer overflow in the '
'ngx_http_rewrite_module, potentially causing '
'denial-of-service (DoS) crashes or remote code execution '
'(RCE).',
'impact': {'operational_impact': 'Denial-of-service (DoS) crashes, potential '
'remote code execution (RCE)',
'systems_affected': 'Reverse proxies, API gateways, Kubernetes '
'ingress controllers'},
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, '
'replace unnamed regex '
'captures with named '
'captures, monitor for '
'exploitation attempts',
'root_causes': 'Heap buffer overflow in '
'ngx_http_rewrite_module due to '
'overlapping PCRE capture groups '
"and pointer 'slip' in memory pool "
'cleanup handlers'},
'recommendations': 'Upgrade to fixed versions immediately; replace unnamed '
'regex captures with named captures as a temporary '
'workaround.',
'references': [{'source': 'Winfunc Research (Mufeed VH)'},
{'source': 'Nebula Security'},
{'source': 'Vexera AI'}],
'response': {'containment_measures': 'Upgrade to fixed versions (NGINX Open '
'Source 1.30.2/1.31.1, NGINX Plus R36 '
'P5/R32 P7/R37.0.1.1)',
'remediation_measures': 'Replace unnamed regex captures with '
'named captures as a temporary '
'workaround'},
'title': "Critical NGINX Vulnerability 'nginx-poolslip' Exposes Millions of "
'Servers to Remote Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-9256 (nginx-poolslip)'}