New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX

A newly disclosed zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has emerged, affecting NGINX version 1.31.0, the latest stable release of the widely deployed web server software.

The discovery was made by security agent Vega, operating under the NebSec security team, and publicly disclosed via X (formerly Twitter) on May 21, 2026.

Just weeks ago, the cybersecurity community was addressing CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.

The vulnerability, present in the NGINX codebase since 2008, exposed approximately 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional remote code execution risks.

F5 patched the flaw in NGINX Open Source 1.31.0 and 1.30.1, prompting administrators worldwide to rush emergency upgrades.

NGINX 0-Day RCE “nginx-poolslip”

nginx-poolslip is a critical RCE vulnerability that targets NGINX’s internal memory pool handling mechanism.

The flaw enables attackers to achieve remote code execution on affected servers, potentially granting full system compromise without prior authentication.

The vulnerability is described as a bypass of Address Space Layout Randomization (ASLR), a core OS-level memory protection technique designed to prevent exploitation of memory corruption bugs.

This follows a previously patched vulnerability known as nginx-rift, which affected earlier NGINX versions and has since been remediated.

However, NebSec’s research confirms that the patch for nginx-rift did not address the underlying attack surface that nginx-poolslip now exploits.

NGINX powers an estimated 30–40% of all web servers globally, including high-traffic platforms, reverse proxies, load balancers, and API gateways.

The fact that nginx-poolslip targets the latest release, version 1.31.0, means organizations that diligently updated to avoid nginx-rift may now be exposed to this new threat.

At the time of publication, no official patch from the NGINX project has been released. NebSec has followed a 30-day responsible disclosure timeline, committing to withholding the full technical write-up, including ASLR bypass details, until after an official patch is available.

As of this writing, no CVE identifier has been assigned, and no official patch from F5/NGINX is available for nginx-poolslip.

Mitigations

Until an official patch is issued, administrators should consider the following interim measures:

• Monitor NebuSec and F5 security advisories for patch availability
• Restrict public exposure of NGINX admin interfaces and limit attack surface via WAF rules
• Enable ASLR system-wide (/proc/sys/kernel/randomize_va_space set to 2) as a partial mitigation
• Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for related pool-level corruption
• Evaluate memory-safe alternatives such as Cloudflare Pingora for critical infrastructure

Given that NGINX powers a significant share of global web infrastructure, the security community is closely watching NebUC’s coordinated disclosure.

Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.