New NGINX 0-Day “nginx-poolslip” Exposes Millions to RCE

A critical zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been publicly disclosed in NGINX version 1.31.0, the latest stable release of the world’s most widely deployed web server software.

The discovery, made by security researcher Vega of the NebSec security team, was announced via X (formerly Twitter) on May 21, 2026, sending shockwaves through the global security community.

The timing is particularly alarming, just weeks prior, administrators worldwide scrambled to patch CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.

That flaw, embedded in the codebase since 2008, exposed an estimated 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional RCE.

F5 patched it in NGINX Open Source versions 1.31.0 and 1.30.1, the very release that nginx-poolslip now targets.

New NGINX 0-Day “nginx-poolslip”

nginx-poolslip exploits a flaw in NGINX’s internal memory pool handling mechanism, allowing unauthenticated attackers to achieve remote code execution and potentially compromise the entire system.

Most critically, the vulnerability functions as a bypass of Address Space Layout Randomization (ASLR), a foundational OS-level memory protection designed to thwart exactly this category of memory corruption exploit.

The attack surface traces back to an nginx-rift predecessor vulnerability, which affected earlier NGINX versions and was subsequently patched.

https://twitter.com/nebusecurity/status/2057071579876753643?ref_src=twsrc%5Etfw

However, NebSec’s research confirms that the patch for nginx-rift failed to remediate the underlying memory pool attack surface, leaving the door open for nginx-poolslip to emerge in the updated codebase.

NGINX powers an estimated 30–40% of all global web servers, spanning high-traffic platforms, reverse proxies, load balancers, and API gateways.

Because nginx-poolslip specifically targets version 1.31.0, the patch was rushed to deployment by admins. Following CVE-2026-42945, organizations that acted diligently may now find themselves re-exposed to a fresh, unpatched threat.

According to CSN, no CVE identifier has been assigned, and no official patch from F5/NGINX is available.

NebSec is operating under a 30-day responsible disclosure timeline, withholding full technical details, including the complete ASLR bypass methodology, until an official fix is released.

Mitigations

Until an official patch is issued, administrators should implement the following interim measures:

• Monitor NebSec and F5 security advisories closely for patch availability
• Restrict public exposure of NGINX admin interfaces and deploy WAF rules to reduce the attack surface
• Ensure ASLR is enforced system-wide by setting /proc/sys/kernel/randomize_va_space to 2
• Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for pool-level memory corruption
• Evaluate memory-safe alternatives such as Cloudflare Pingora for mission-critical infrastructure

Given NGINX’s outsized role in global web infrastructure, the security community is closely monitoring NebSec’s coordinated disclosure.

Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post New NGINX 0-Day “nginx-poolslip” Exposes Millions to RCE appeared first on Cyber Security News.