NGINX Poolslip Vulnerability Can Crash Workers and May Enable Code Execution
7 min. read 
Published on
NGINX administrators should patch a newly disclosed rewrite module vulnerability tracked as CVE-2026-9256. The issue, also being called nginx-poolslip, affects NGINX Open Source and NGINX Plus configurations that use overlapping PCRE captures in certain rewrite rules.
The NGINX security advisory page lists the flaw as a buffer overflow in ngx_http_rewrite_module. The project says NGINX Open Source versions 0.1.17 through 1.31.0 are vulnerable, while 1.31.1 and 1.30.2 are not vulnerable.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The NVD entry for CVE-2026-9256 says an unauthenticated attacker can send crafted HTTP requests under specific conditions. The likely result is a heap buffer overflow in an NGINX worker process, which can force the worker to restart and cause a denial-of-service condition.
What makes CVE-2026-9256 dangerous
The vulnerability sits in the NGINX rewrite module, a common component used to redirect, rewrite, or adjust request handling. The issue appears when a rewrite directive uses overlapping PCRE capture groups and then references multiple captures in a redirect or arguments context.
The F5 advisory says the flaw is a data-plane issue only, with no control-plane exposure. That means attackers target traffic processing rather than the management interface.
Code execution is possible in some cases, but the condition is not automatic on every vulnerable deployment. NVD says attackers may execute code on systems where Address Space Layout Randomization is disabled or where the attacker can bypass ASLR.
| Item | Details |
|---|---|
| CVE | CVE-2026-9256 |
| Nickname | nginx-poolslip |
| Affected component | ngx_http_rewrite_module |
| Weakness type | Heap-based buffer overflow, CWE-122 |
| Main impact | Worker process crash and denial of service |
| Possible higher impact | Code execution if ASLR is disabled or bypassed |
Patched NGINX versions are already available
NGINX Open Source users should upgrade to version 1.31.1 on the mainline branch or 1.30.2 on the stable branch. The NGINX GitHub releases page says both releases were published on May 22, 2026, with a fix for the rewrite module buffer overflow.
NGINX Plus users should follow F5’s fixed release guidance. The current fixes listed for NGINX Plus include R37.0.1.1, R36 P5, and R32 P7, depending on the branch in use.
Hosting providers are also shipping downstream updates. The cPanel security notice says ea-nginx 1.31.1 was released on May 22, 2026 to address CVE-2026-9256.
| Product | Vulnerable versions | Fixed version or guidance |
|---|---|---|
| NGINX Open Source mainline | 1.31.0 | Upgrade to 1.31.1 or later |
| NGINX Open Source stable | 1.0.0 through 1.30.1 | Upgrade to 1.30.2 or later |
| Older NGINX Open Source 0.x builds | 0.1.17 through 0.9.x | Move to a supported fixed release |
| NGINX Plus R37 | 37.0.0 | Upgrade to 37.0.1.1 |
| NGINX Plus R32 through R36 | Affected R32 to R36 builds | Upgrade to R36 P5 or R32 P7, based on branch support |
| cPanel ea-nginx | ea-nginx 1.31.0 | Update to ea-nginx 1.31.1 |
Why rewrite rules need review
The vulnerable condition requires a specific rewrite pattern. Administrators should look for rewrite rules that use nested or overlapping regular expression captures, then combine multiple numbered captures such as $1 and $2 in the replacement value.
That makes configuration review important, even while patching remains the main fix. The F5 advisory recommends replacing unnamed captures with named captures as a mitigation when immediate patching is not possible.
For example, a rewrite rule that relies on numbered captures may need to be rewritten with explicit named captures. This reduces ambiguity in how captures get referenced and avoids the specific pattern tied to the flaw.
- Search NGINX configuration files for rewrite rules using nested or overlapping captures.
- Pay close attention to rules that reference multiple numbered captures in redirects or arguments.
- Replace risky numbered captures with named captures when patching cannot happen immediately.
- Restart or reload NGINX only after validating the updated configuration.
- Prioritize internet-facing reverse proxies, API gateways, and edge systems.
How this compares with the earlier NGINX Rift bug
CVE-2026-9256 follows another rewrite module flaw, CVE-2026-42945, which also affected NGINX. Both bugs involve memory safety issues in the same broad module area, but they have different CVE IDs and different vulnerable conditions.
The NGINX security advisories list CVE-2026-9256 and CVE-2026-42945 as separate buffer overflow issues in ngx_http_rewrite_module. CVE-2026-42945 was fixed in 1.31.0 and 1.30.1, while CVE-2026-9256 was fixed later in 1.31.1 and 1.30.2.
That sequence matters for administrators who patched after the earlier NGINX Rift disclosure. A system updated to 1.31.0 or 1.30.1 may still need another update for CVE-2026-9256.
Risk depends on exposure and configuration
The risk is highest for public-facing NGINX deployments that process untrusted HTTP requests and use affected rewrite patterns. Reverse proxies, API gateways, shared hosting systems, Kubernetes ingress deployments, and edge web servers should receive priority review.
The NVD record says exploitation requires conditions beyond the attacker’s control, which means not every NGINX instance is equally exposed. Still, administrators should not rely on configuration uncertainty as a long-term defense.
Security teams should also check downstream products and vendor packages that embed or ship NGINX. Some products may need separate vendor updates even if the upstream NGINX fix already exists.
cPanel users should update ea-nginx
cPanel has already issued its own advisory for environments using ea-nginx. The cPanel update notice says users can check whether ea-nginx is installed and update the package through the platform’s supported package manager.
Administrators running hosting stacks should not assume that the base operating system package is the only NGINX copy on the server. Control panels, ingress components, containers, and vendor appliances may each bundle their own version.
The safest response is to inventory every NGINX deployment, including container images and managed platform components, then confirm that each one runs a fixed version or has vendor guidance applied.
What administrators should do now
Patch first where possible. The official NGINX releases already include fixed Open Source builds, so most self-managed deployments can move directly to 1.31.1 or 1.30.2.
After patching, teams should review rewrite rules and monitor for worker crashes, repeated malformed requests, and unusual restart patterns. A worker restart does not prove exploitation, but it should prompt investigation on exposed systems.
Organizations that cannot patch immediately should apply F5’s rewrite-rule mitigation, reduce exposure to affected routes, and prioritize upgrades for systems handling public HTTP traffic.
- Upgrade NGINX Open Source to 1.31.1 or 1.30.2.
- Upgrade NGINX Plus to the fixed release for the active support branch.
- Update downstream packages such as ea-nginx where applicable.
- Review rewrite directives with overlapping captures and numbered capture references.
- Monitor logs for unexpected worker restarts or crash patterns.
- Check container images, ingress controllers, appliances, and hosting platform bundles.
FAQ
nginx-poolslip is the public nickname for CVE-2026-9256, a heap buffer overflow vulnerability in the NGINX rewrite module. It can crash an NGINX worker process and may allow code execution when ASLR is disabled or bypassed.
NGINX Open Source users should update to 1.31.1 or 1.30.2. NGINX Plus users should follow F5’s branch guidance, including R37.0.1.1, R36 P5, or R32 P7 where applicable.
Yes. NVD says an unauthenticated attacker can exploit the vulnerability by sending crafted HTTP requests when the vulnerable configuration conditions are present.
No. The vulnerable condition depends on rewrite directives that use overlapping PCRE captures and replacement strings that reference multiple captures in certain contexts. However, administrators should still patch because affected configurations may exist in large or old deployments.
Admins should review rewrite rules and replace risky unnamed numbered captures with named captures where possible, reduce exposure to affected routes, monitor for worker crashes, and schedule the upgrade as soon as possible.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages