A critical security vulnerability tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip has been disclosed in NGINX, one of the world’s most widely deployed web servers. The flaw allows a remote, unauthenticated attacker to trigger a denial-of-service (DoS) condition or, in certain configurations, achieve remote code execution (RCE) — no credentials required.
How the Vulnerability Works
The flaw resides in NGINX’s ngx_http_rewrite_module — the same component targeted by the earlier “NGINX Rift” bug (CVE-2026-42945). It is triggered when a rewrite directive uses a regex with overlapping PCRE capture groups (e.g., ^/((.*))$) combined with a replacement string referencing multiple captures (e.g., $1$2). An attacker can send crafted requests to cause a heap buffer overflow (CWE-122) in the NGINX worker process.
NGINX uses a dedicated memory pool per request and maintains a linked list of cleanup handlers inside it. By triggering the overflow, an attacker can redirect or overwrite that handler pointer, turning pool destruction into a control-flow hijack — hence the name “poolslip.” The earlier NGINX Rift patch (CVE-2026-42945) failed to close the underlying memory pool attack surface, leaving a different path to the same corruption target.
Severity and Exploitation Risk
The flaw is rated High (CVSS v3.1: 8.1) and Critical (CVSS v4.0: 9.2). At minimum, exploitation crashes the NGINX worker process (DoS). Code execution is achievable on systems where ASLR is disabled or can be bypassed. Key risk factors:
- No authentication required — any external attacker can attempt exploitation over plain HTTP.
- Proof-of-concept activity is already circulating publicly.
- NGINX is deployed in reverse proxies, API gateways, and Kubernetes ingress controllers globally, creating a massive attack surface.
Affected Products and Fixed Versions
The following NGINX products are confirmed vulnerable:
- NGINX Open Source 0.1.17 – 1.30.1 and 1.31.0 → upgrade to 1.30.2 or 1.31.1
- NGINX Plus R32 – R36 and 37.0.0 → upgrade to R36 P5, R32 P7, or 37.0.1.1
- NGINX Instance Manager, F5 WAF for NGINX, App Protect WAF/DoS, Gateway Fabric, and Ingress Controller all inherit the flaw — patches are pending for these downstream products.
- The legacy 0.x branch will not receive a fix; migration to a supported branch is required.
Temporary Mitigations
If immediate patching is not feasible, F5 recommends replacing unnamed PCRE capture groups with named captures in all affected rewrite directives. For example, use (?<user_id>...) instead of unnamed groups and reference them by name in replacement strings. Additional recommended actions:
- Audit all NGINX configurations for rewrite directives with overlapping PCRE capture groups.
- Enable ASLR system-wide to raise the bar for code execution.
- Monitor NGINX worker crash and restart events as an early indicator of exploitation attempts.
- Deploy WAF rules to block requests matching known PoC patterns.
Disclosure
The vulnerability was discovered and reported by Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI. F5 has published official advisory K000161377. With PoC activity already circulating, organizations should treat this as an emergency patch event.