New NGINX 0-Day RCE "nginx-poolslip" Affects Millions of NGINX Servers - CyberSecurityNews

HomeCyber Security News New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers By Guru Baran May 21, 2026 A newly disclosed zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been identified in NGINX version 1.31.0, the latest stable release of the widely deployed web server software. The discovery was made by security agent Vega, operating under the NebSec security team, and publicly disclosed via X (formerly Twitter) on May 21, 2026. Just weeks ago, the cybersecurity community was addressing CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2. The vulnerability, present in the NGINX codebase since 2008, exposed approximately 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional remote code execution risks. F5 patched the flaw in NGINX Open Source 1.31.0 and 1.30.1, prompting administrators worldwide to rush emergency upgrades. NGINX 0-Day RCE “nginx-poolslip” nginx-poolslip is a critical RCE vulnerability that targets NGINX’s internal memory pool handling mechanism. INTRODUCING NGINX-POOLSLIP, A FRESH RCE FOR THE THE LATEST NGINX RELEASE 1.31.0. NGINX-RIFT HAS BEEN PATCHED, BUT OUR SECURITY AGENT VEGA HAS FOUND A NEW 0 DAY. WE WILL RELEASE THE FULL TECHNICAL WRITEUP WITH ASLR BYPASS 30 DAYS AFTER THE PATCH ON HTTPS://T.CO/LAHOC5UHRP. PIC.TWITTER.COM/4RQMP4UA4I — Nebula Security (@nebusecurity) May 20, 2026 The flaw enables attackers to achieve remote code execution on affected servers, potentially granting full system compromise without prior authentication. The vulnerability is described as a bypass of Address Space Layout Randomization (ASLR), a core OS-level memory protection technique designed to prevent exploitation of memory corruption bugs. This follows a previously patched vulnerability known as nginx-rift, which affected earlier NGINX versions and has since been remediated. However, NebSec’s research confirms that the patch for nginx-rift did not address the underlying attack surface that nginx-poolslip now exploits. NGINX powers an estimated 30–40% of all web servers globally, including high-traffic platforms, reverse proxies, load balancers, and API gateways. The fact that nginx-poolslip targets the latest release, version 1.31.0, means organizations that diligently updated to avoid nginx-rift may now be exposed to this new threat. At the time of publication, no official patch from the NGINX project has been released. NebSec has followed a 30-day responsible disclosure timeline, committing to withholding the full technical write-up, including ASLR bypass details, until after an official patch is available. As of this writing, no CVE identifier has been assigned, and no official patch from F5/NGINX is available for nginx-poolslip. Mitigations Until an official patch is issued, administrators should consider the following interim measures: Monitor NebuSec and F5 security advisories for patch availability Restrict public exposure of NGINX admin interfaces and limit attack surface via WAF rules Enable ASLR system-wide (/proc/sys/kernel/randomize_va_space set to 2) as a partial mitigation Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for related pool-level corruption Evaluate memory-safe alternatives such as Cloudflare Pingora for critical infrastructure Given that NGINX powers a significant share of global web infrastructure, the security community is closely watching NebUC’s coordinated disclosure. Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Marimo Security Vulnerability Enables Remote Code Execution Attacks Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware Latest News Cyber Security Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now! Cyber Attack News Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks Cyber Security Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos Cyber Security News Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing Cyber Security News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations