NGINX fixes nginx-poolslip flaw that could trigger crashes or code execution

NGINX has released fixes for a newly disclosed vulnerability known as nginx-poolslip, tracked as CVE-2026-9256. The flaw affects the ngx_http_rewrite_module and can let an unauthenticated attacker trigger a heap buffer overflow under specific rewrite-rule conditions.

The issue affects NGINX Plus and NGINX Open Source, with vulnerable NGINX Open Source versions listed from 0.1.17 through 1.31.0. The official NGINX security advisories page says versions 1.31.1 and 1.30.2 are not vulnerable.

The risk is not the same for every server. Exploitation depends on rewrite directives that use overlapping PCRE capture groups and replacement strings that reference multiple captures in redirect or arguments context.

What nginx-poolslip does

The vulnerability sits in NGINX’s rewrite handling, a common feature used to redirect, transform, or rewrite incoming URLs. When a vulnerable configuration processes a crafted HTTP request, the worker process can hit a heap buffer overflow.

The NVD entry for CVE-2026-9256 says the issue may cause the NGINX worker process to restart. It also says attackers can execute code on systems with Address Space Layout Randomization disabled or when the attacker can bypass ASLR.

That distinction matters. This is not a simple one-request takeover of every NGINX server. It becomes more dangerous when the vulnerable rewrite pattern exists and when memory-protection conditions make code execution possible.

Detail	Information
Vulnerability name	nginx-poolslip
CVE	CVE-2026-9256
Affected component	ngx_http_rewrite_module
Bug class	Heap-based buffer overflow
Attack access	Remote, unauthenticated, with configuration conditions
Possible impact	Worker process crash or possible code execution in weaker ASLR conditions
Fixed NGINX Open Source versions	1.31.1 and 1.30.2 or later

Why rewrite rules create the attack condition

NGINX rewrite rules often use regular expressions to capture parts of a URL and reuse those captured values in a new location or query string. That is normal behavior in web routing, redirects, SEO migrations, and reverse proxy setups.

The problem appears when a rewrite directive uses distinct but overlapping PCRE capture groups, such as nested captures, and then references more than one capture in a redirect or arguments context. In those cases, a crafted request can reach the vulnerable memory-handling path.

The CVE-2026-9256 record gives an example pattern using overlapping captures and multiple references. Administrators should review rewrite rules that use $1, $2, or similar capture references, especially in older or complex server configurations.

How this differs from the earlier NGINX Rift flaw

The disclosure follows another recent NGINX rewrite-module issue, CVE-2026-42945, which was also tied to heap memory corruption. That earlier flaw was fixed in NGINX Open Source 1.31.0 and 1.30.1.

nginx-poolslip is a separate issue, so servers that moved to 1.31.0 for the earlier fix may still need another update. The NGINX advisory list now shows CVE-2026-9256 as fixed in 1.31.1 and 1.30.2, while the earlier CVE-2026-42945 entry lists 1.31.0 and 1.30.1 as fixed.

This creates a patch-management trap. Teams that recently upgraded and considered the rewrite-module issue resolved should check again, because the fixed version for the newer vulnerability is different.

cPanel has also shipped an ea-nginx update

Hosting providers and administrators using packaged NGINX builds should not assume upstream source releases automatically protect their systems. Downstream vendors need to ship their own builds, and administrators need to confirm those packages were installed.

cPanel says it released an ea-nginx 1.31.1 security update on May 22, 2026, to address CVE-2026-9256. Its notice describes the issue as remote code execution via worker process memory pool handling.

That update matters for shared hosting environments because NGINX often sits in front of many customer sites. A single vulnerable proxy layer can affect multiple hosted applications, even if the application code itself has no related bug.

Who should prioritize the update

Any organization running NGINX as a public web server, reverse proxy, ingress controller, API gateway, load balancer, or caching layer should check versions and configurations. Internet-facing systems with complex rewrite rules deserve the fastest review.

• Update NGINX Open Source to 1.31.1 or 1.30.2, or use vendor packages that include the fix.
• Review rewrite directives that use nested or overlapping PCRE captures.
• Look for replacement strings that reference multiple captures, such as $1$2.
• Confirm ASLR is enabled on Linux systems.
• Monitor NGINX worker crashes, restarts, and unusual HTTP error spikes.
• Check managed hosting, container images, ingress controllers, and appliances that bundle NGINX.

ASLR does not replace patching. It can reduce the chance of code execution in some memory-corruption scenarios, but the underlying bug still needs the fixed NGINX build.

Why the severity appears confusing

The severity may look inconsistent across sources. NGINX’s advisory page labels the issue medium, but NVD currently lists F5’s CVSS 4.0 score as 9.2 critical and CVSS 3.1 score as 8.1 high.

This difference comes from how exploitability and impact get modeled. The attack can be unauthenticated and remote, but it also needs certain rewrite-rule conditions and, for code execution, ASLR must be disabled or bypassed.

Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0.

nginx-rift has been patched, but our security agent Vega has found a new 0 day.

We will release the full technical writeup with ASLR bypass 30 days after the patch on https://t.co/LAhOC5UHrp. pic.twitter.com/4rqMp4uA4i

— Nebula Security (@nebusecurity) May 20, 2026

Administrators should not dismiss the issue because a source calls it medium. Memory corruption in a public-facing web server deserves quick attention, especially when the affected component sits in routing logic used across many production configurations.

What administrators should check now

Start by checking the NGINX version actually running, not only the package version listed in a repository. Containers, appliances, and custom builds may lag behind upstream security releases.

• Run nginx -v or use the package manager to confirm the installed build.
• Restart or reload NGINX after applying the fixed package.
• Audit nginx.conf and included site configuration files for risky rewrite patterns.
• Search for nested captures such as ^/((.*))$ and multiple capture references such as $1$2.
• Update base container images and redeploy services that bundle NGINX.
• Check vendor advisories for appliances, ingress controllers, and hosting panels.

Users of cPanel-managed systems should check whether ea-nginx is installed and updated. The cPanel security notice says CloudLinux and AlmaLinux users can verify the ea-nginx package with dnf, while Ubuntu users can check the installed package through apt.

Why this matters for web infrastructure

NGINX sits in front of websites, APIs, Kubernetes services, SaaS platforms, and enterprise portals. A rewrite-module vulnerability can sit close to the edge of the network, where unauthenticated traffic first reaches infrastructure.

The safest response is to patch quickly and review configuration rather than waiting for public exploitation details. Even when exploitation needs specific conditions, attackers can scan for version banners, test rewrite behavior, and focus on high-value targets.

For many teams, this will be the second NGINX emergency review in a short period. That makes asset inventory more important than usual, since older proxy instances, container images, and managed hosting builds often fall outside normal patch dashboards.

Administrators should treat CVE-2026-9256 as a high-priority update for public NGINX deployments, especially where rewrite rules use complex regular expressions and capture references.

FAQ