New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
A newly disclosed zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been identified in NGINX version 1.31.0, the latest stable release of the widely deployed web server software. The discovery was made by security agent Vega, operating under the NebSec security team, and publicly disclosed via X (formerly Twitter) on May 21, 2026. Just […] The post New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers
By Guru Baran
May 21, 2026
A newly disclosed zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been identified in NGINX version 1.31.0, the latest stable release of the widely deployed web server software.
The discovery was made by security agent Vega, operating under the NebSec security team, and publicly disclosed via X (formerly Twitter) on May 21, 2026.
Just weeks ago, the cybersecurity community was addressing CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.
The vulnerability, present in the NGINX codebase since 2008, exposed approximately 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional remote code execution risks.
F5 patched the flaw in NGINX Open Source 1.31.0 and 1.30.1, prompting administrators worldwide to rush emergency upgrades.
NGINX 0-Day RCE “nginx-poolslip”
nginx-poolslip is a critical RCE vulnerability that targets NGINX’s internal memory pool handling mechanism.
INTRODUCING NGINX-POOLSLIP, A FRESH RCE FOR THE THE LATEST NGINX RELEASE 1.31.0.
NGINX-RIFT HAS BEEN PATCHED, BUT OUR SECURITY AGENT VEGA HAS FOUND A NEW 0 DAY.
WE WILL RELEASE THE FULL TECHNICAL WRITEUP WITH ASLR BYPASS 30 DAYS AFTER THE PATCH ON HTTPS://T.CO/LAHOC5UHRP. PIC.TWITTER.COM/4RQMP4UA4I
— Nebula Security (@nebusecurity) May 20, 2026
The flaw enables attackers to achieve remote code execution on affected servers, potentially granting full system compromise without prior authentication.
The vulnerability is described as a bypass of Address Space Layout Randomization (ASLR), a core OS-level memory protection technique designed to prevent exploitation of memory corruption bugs.
This follows a previously patched vulnerability known as nginx-rift, which affected earlier NGINX versions and has since been remediated.
However, NebSec’s research confirms that the patch for nginx-rift did not address the underlying attack surface that nginx-poolslip now exploits.
NGINX powers an estimated 30–40% of all web servers globally, including high-traffic platforms, reverse proxies, load balancers, and API gateways.
The fact that nginx-poolslip targets the latest release, version 1.31.0, means organizations that diligently updated to avoid nginx-rift may now be exposed to this new threat.
At the time of publication, no official patch from the NGINX project has been released. NebSec has followed a 30-day responsible disclosure timeline, committing to withholding the full technical write-up, including ASLR bypass details, until after an official patch is available.
As of this writing, no CVE identifier has been assigned, and no official patch from F5/NGINX is available for nginx-poolslip.
Mitigations
Until an official patch is issued, administrators should consider the following interim measures:
Monitor NebuSec and F5 security advisories for patch availability
Restrict public exposure of NGINX admin interfaces and limit attack surface via WAF rules
Enable ASLR system-wide (/proc/sys/kernel/randomize_va_space set to 2) as a partial mitigation
Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for related pool-level corruption
Evaluate memory-safe alternatives such as Cloudflare Pingora for critical infrastructure
Given that NGINX powers a significant share of global web infrastructure, the security community is closely watching NebUC’s coordinated disclosure.
Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls
3 Tactics Elite SOCs Use to Operationalize Threat Intelligence
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems
Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure
Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft
Latest News
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
Cyber Security
New Microsoft Defender 0‑Days Actively Exploited in the Wild
Cyber Security News
BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
Cyber Security News
Critical Cisco Secure Workload Vulnerability Enables Unauthorized API Access
Cyber Security News
Critical Drupal Core Security Vulnerability Exposes Websites to Cyberattack