By rssfeeds-admin A critical heap-based buffer overflow vulnerability has been discovered in NGINX Plus and NGINX Open Source, tracked as CVE-2026-9256 and internally designated as F5 ID 161 (NGINX).
The flaw, residing in the ngx_http_rewrite_module, can be exploited by unauthenticated remote attackers to crash NGINX worker processes or achieve remote code execution (RCE) under specific conditions. F5 has rated this vulnerability High (CVSS v3.1: 8.1) and Critical (CVSS v4.0: 9.2).
It is triggered when a rewrite directive uses a regex pattern with distinct, overlapping PCRE (Perl-Compatible Regular Expression) capture groups, such as ^/((.*))$ paired with a replacement string referencing multiple captures, like $1$2 in a redirect.
nginx-poolslip Vulnerability
NGINX uses a dedicated memory pool per request and releases it when the request finishes. Inside this pool, NGINX maintains a linked list of cleanup handlers.
While the earlier Rift bug exploited a buffer-size calculation error, poolslip triggers a controlled pointer “slip” across adjacent linked structures in the same pool via a different code path, ultimately targeting the same corruption, resulting in a heap buffer overflow (CWE-122) in the NGINX worker process.
What distinguishes nginx-poolslip from a conventional DoS flaw is its fully demonstrated, multi-stage remote ASLR bypass. Researchers published a proof-of-concept video showing exploitation against a fully hardened Linux server running NGINX 1.31.0.
The attack begins with approximately 300 precisely crafted HTTP requests that probe the remote heap, dynamically mapping the server’s memory layout from the network.
This remote heap probing phase is followed by a Heap Feng Shui stage, in which the attacker orchestrates controlled allocation and deallocation cycles within NGINX’s memory pools to force the heap base address into a predictable position.
Once the base address is confirmed, the exploit leaks the exact active memory offsets of the NGINX codebase, fully neutralizing ASLR protections without requiring any local access.
With memory offsets established, a tailored corruption primitive causes the NGINX worker to execute an embedded attacker-controlled payload, yielding interactive root-level shell access.
F5 confirms that code execution is possible on systems where ASLR is disabled or can be bypassed by an attacker.
Affected Products and Patch Status
The vulnerability spans a broad range of NGINX-based products across the F5 ecosystem. NGINX Plus branch 37.x is fixed in 37.0.1.1, while branches R32 through R36 are addressed in R36 P5 and R32 P7, respectively.
NGINX Open Source versions 1.0.0 through 1.30.1 and 1.31.0 are fixed in 1.30.2 and 1.31.1, while legacy 0.x branch versions 0.1.17 through 0.9.7 will receive no fix.
| Product | Vulnerable Versions | Fix Available |
|---|---|---|
| NGINX Plus | 37.0.0; R32–R36 | 37.0.1.1; R36 P5 / R32 P7 |
| NGINX Open Source | 1.0.0–1.30.1, 1.31.0 | 1.30.2, 1.31.1 |
| NGINX Open Source 0.x | 0.1.17–0.9.7 | Will not fix |
| NGINX Instance Manager | 2.17.0–2.22.0 | None yet |
| F5 WAF for NGINX | 5.9.0–5.13.0 | None yet |
| NGINX App Protect WAF | 4.10.0–4.16.0; 5.2.0–5.8.0 | None yet |
| NGINX App Protect DoS | 4.3.0–4.7.0 | None yet |
| NGINX Gateway Fabric | 1.3.0–1.6.2; 2.0.0–2.6.1 | None yet |
| NGINX Ingress Controller | 3.5.0–3.7.2; 4.0.0–4.0.1; 5.0.0–5.4.2 | None yet |
Kubernetes operators should additionally note that the archived kubernetes/ingress-nginx repository running NGINX 1.27.1 is permanently vulnerable to both CVE-2026-42945 and CVE-2026-9256 and will never receive an upstream fix.
Mitigation
F5 recommends replacing unnamed PCRE capture groups with named captures in rewrite definitions. For example, replace:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;with:
rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;This configuration change eliminates the overlapping-capture condition that triggers overflow.
F5 credited Mufeed VH of Winfunc Research, Nebula Security (@nebusecurity), and Vexera AI for discovering and responsibly disclosing this vulnerability through coordinated disclosure.
Organizations running any of the affected NGINX products should apply available patches immediately and implement the named-capture mitigation for configurations that cannot be patched right away.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post nginx-poolslip Flaw Enables DoS and Remote Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.