Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks \u2014 Patch Now!
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A newly disclosed flaw in one of the world\u2019s most widely deployed web servers is forcing administrators into another emergency patch cycle.<\/p>\n
Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip<\/a>, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.<\/p>\n The vulnerability resides in the According to F5\u2019s advisory, the condition arises when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^\/((.*))$ paired with a replacement string referencing multiple captures, like Under these conditions, an attacker sending crafted requests can trigger a heap buffer overflow (CWE-122) in the NGINX worker process. NGINX uses a dedicated memory pool for each request and releases it all at once when the request is finished.<\/p>\n Inside that pool structure, NGINX maintains a linked list of cleanup handlers, and if an attacker can overwrite or redirect that handler pointer, pool destruction becomes a control-flow hijack opportunity.<\/p>\n Where the earlier Rift bug abused a buffer-size calculation error, poolslip triggers a controlled pointer \u201cslip\u201d across adjacent linked structures in the same pool, via a different code path to the same corruption target.<\/p>\n Crucially, researchers confirmed the patch for the prior flaw failed to remediate the underlying memory pool attack surface, leaving the door open for poolslip to emerge in the updated codebase.<\/p>\n At minimum, exploitation crashes and restarts the worker process, producing a denial-of-service condition. More seriously, code execution is possible on systems where Address Space Layout Randomization (ASLR) is disabled or where an attacker can bypass it.<\/p>\n F5 notes there is no<\/a> control-plane exposure; this is strictly a data-plane issue. The flaw carries a High\/8.1 (CVSS v3.1) and Critical\/9.2 (CVSS v4.0) rating.<\/p>\n Given NGINX\u2019s ubiquity across reverse proxies, API gateways, and Kubernetes ingress controllers, the exposed footprint is enormous.<\/p>\n NGINX Open Source ngx_http_rewrite_module<\/code>, the same component implicated in the recent \u201cNGINX Rift\u201d flaw (CVE-2026-42945).<\/p>\n$1$2<\/code> in a redirect or arguments context.<\/p>\nAffected Versions and Fixes<\/strong><\/h2>\n
0.1.17<\/code> through 1.30.1<\/code> and 1.31.0<\/code> are vulnerable; upgrade to 1.30.2 or 1.31.1. NGINX Plus users on R32\u2013R36 should move to R36 P5 or R32 P7, and 37.x users to R37.0.1.1.<\/p>\n