Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!

HomeCyber Security Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now! By Guru Baran May 23, 2026 A newly disclosed flaw in one of the world’s most widely deployed web servers is forcing administrators into another emergency patch cycle. Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP. The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent “NGINX Rift” flaw (CVE-2026-42945). According to F5’s advisory, the condition arises when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^/((.*))$ paired with a replacement string referencing multiple captures, like $1$2 in a redirect or arguments context. Under these conditions, an attacker sending crafted requests can trigger a heap buffer overflow (CWE-122) in the NGINX worker process. NGINX uses a dedicated memory pool for each request and releases it all at once when the request is finished. Inside that pool structure, NGINX maintains a linked list of cleanup handlers, and if an attacker can overwrite or redirect that handler pointer, pool destruction becomes a control-flow hijack opportunity. Where the earlier Rift bug abused a buffer-size calculation error, poolslip triggers a controlled pointer “slip” across adjacent linked structures in the same pool, via a different code path to the same corruption target. Crucially, researchers confirmed the patch for the prior flaw failed to remediate the underlying memory pool attack surface, leaving the door open for poolslip to emerge in the updated codebase. At minimum, exploitation crashes and restarts the worker process, producing a denial-of-service condition. More seriously, code execution is possible on systems where Address Space Layout Randomization (ASLR) is disabled or where an attacker can bypass it. F5 notes there is no control-plane exposure; this is strictly a data-plane issue. The flaw carries a High/8.1 (CVSS v3.1) and Critical/9.2 (CVSS v4.0) rating. Given NGINX’s ubiquity across reverse proxies, API gateways, and Kubernetes ingress controllers, the exposed footprint is enormous. Affected Versions and Fixes NGINX Open Source 0.1.17 through 1.30.1 and 1.31.0 are vulnerable; upgrade to 1.30.2 or 1.31.1. NGINX Plus users on R32–R36 should move to R36 P5 or R32 P7, and 37.x users to R37.0.1.1. Product Vulnerable Versions Fixed Versions NGINX Plus 37.0.0 R32 – R36 37.0.1.1 R36 P5, R32 P7 NGINX Open Source 1.31.0 1.0.0 – 1.30.1 0.1.17 – 0.9.7 1.31.1 1.30.2 Will not fix NGINX Instance Manager 2.17.0 – 2.22.0 None F5 WAF for NGINX 5.9.0 – 5.13.0 None NGINX App Protect WAF 5.2.0 – 5.8.0 4.10.0 – 4.16.0 None None F5 DoS for NGINX 4.9.0 None NGINX App Protect DoS 4.3.0 – 4.7.0 None NGINX Gateway Fabric 2.0.0 – 2.6.1 1.3.0 – 1.6.2 None None NGINX Ingress Controller 5.0.0 – 5.4.2 4.0.0 – 4.0.1 3.5.0 – 3.7.2 None None None NGINX (all other products) None Not applicable Downstream products, including NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF and DoS), NGINX Gateway Fabric, and NGINX Ingress Controller, inherit the vulnerable components and should be updated as fixes ship. The 0.x branch will not be fixed. If immediate patching isn’t feasible, F5 recommends replacing unnamed captures with named captures in every affected rewrite directive. For example, rewrite $1 and $2 references as (?<user_id>...) and (?<section>...), referenced by name in the replacement string. The flaw was credited to Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI. With proof-of-concept activity already circulating, organizations should patch without delay. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device Flipper Unveils New Flipper One Modular Linux Cyberdeck Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper Latest News Cyber Security Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos Cyber Security News Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Cyber Security News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations Cyber Security News World Cup Phishing Campaign Nearly Triples With 203 Unique IP Addresses Cyber Security News Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access