Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!

A newly disclosed flaw in one of the world’s most widely deployed web servers is forcing administrators into another emergency patch cycle.

Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.

The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent “NGINX Rift” flaw (CVE-2026-42945).

According to F5’s advisory, the condition arises when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^/((.*))$ paired with a replacement string referencing multiple captures, like $1$2 in a redirect or arguments context.

Under these conditions, an attacker sending crafted requests can trigger a heap buffer overflow (CWE-122) in the NGINX worker process. NGINX uses a dedicated memory pool for each request and releases it all at once when the request is finished.

Inside that pool structure, NGINX maintains a linked list of cleanup handlers, and if an attacker can overwrite or redirect that handler pointer, pool destruction becomes a control-flow hijack opportunity.

Where the earlier Rift bug abused a buffer-size calculation error, poolslip triggers a controlled pointer “slip” across adjacent linked structures in the same pool, via a different code path to the same corruption target.

Crucially, researchers confirmed the patch for the prior flaw failed to remediate the underlying memory pool attack surface, leaving the door open for poolslip to emerge in the updated codebase.

At minimum, exploitation crashes and restarts the worker process, producing a denial-of-service condition. More seriously, code execution is possible on systems where Address Space Layout Randomization (ASLR) is disabled or where an attacker can bypass it.

F5 notes there is no control-plane exposure; this is strictly a data-plane issue. The flaw carries a High/8.1 (CVSS v3.1) and Critical/9.2 (CVSS v4.0) rating.

Given NGINX’s ubiquity across reverse proxies, API gateways, and Kubernetes ingress controllers, the exposed footprint is enormous.

Affected Versions and Fixes

NGINX Open Source 0.1.17 through 1.30.1 and 1.31.0 are vulnerable; upgrade to 1.30.2 or 1.31.1. NGINX Plus users on R32–R36 should move to R36 P5 or R32 P7, and 37.x users to R37.0.1.1.

Product	Vulnerable Versions	Fixed Versions
NGINX Plus	37.0.0 R32 – R36	37.0.1.1 R36 P5, R32 P7
NGINX Open Source	1.31.0 1.0.0 – 1.30.1 0.1.17 – 0.9.7	1.31.1 1.30.2 Will not fix
NGINX Instance Manager	2.17.0 – 2.22.0	None
F5 WAF for NGINX	5.9.0 – 5.13.0	None
NGINX App Protect WAF	5.2.0 – 5.8.0 4.10.0 – 4.16.0	None None
F5 DoS for NGINX	4.9.0	None
NGINX App Protect DoS	4.3.0 – 4.7.0	None
NGINX Gateway Fabric	2.0.0 – 2.6.1 1.3.0 – 1.6.2	None None
NGINX Ingress Controller	5.0.0 – 5.4.2 4.0.0 – 4.0.1 3.5.0 – 3.7.2	None None None
NGINX (all other products)	None	Not applicable

Downstream products, including NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF and DoS), NGINX Gateway Fabric, and NGINX Ingress Controller, inherit the vulnerable components and should be updated as fixes ship. The 0.x branch will not be fixed.

If immediate patching isn’t feasible, F5 recommends replacing unnamed captures with named captures in every affected rewrite directive. For example, rewrite $1 and $2 references as (?<user_id>...) and (?<section>...), referenced by name in the replacement string.

The flaw was credited to Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI. With proof-of-concept activity already circulating, organizations should patch without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now! appeared first on Cyber Security News.