Patch Nginx Poolslip Vulnerability: DoS Nginx-poolslip Enables

Administrators are facing another urgent patch cycle following the disclosure of ‘Poolslip,’ a critical new vulnerability affecting Nginx, one of the world’s most widely deployed web servers. This flaw enables attackers to execute Denial of Service (DoS) attacks, underscoring the immediate need for security updates.

Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.

The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent “NGINX Rift” flaw (CVE-2026-42945).

According to F5’s advisory, the condition arises when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^/((.*))$ paired with a replacement string referencing multiple captures, like $1$2 in a redirect or arguments context.

Under these conditions, an attacker sending crafted requests can trigger a heap buffer overflow (CWE-122) in the NGINX worker process. NGINX uses a dedicated memory pool for each request and releases it all at once when the request is finished.

Inside that pool structure, NGINX maintains a linked list of cleanup handlers, and if an attacker can overwrite or redirect that handler pointer, pool destruction becomes a control-flow hijack opportunity.

Where the earlier Rift bug abused a buffer-size calculation error, poolslip triggers a controlled pointer “slip” across adjacent linked structures in the same pool, via a different code path to the same corruption target.

Crucially, researchers confirmed the patch for the prior flaw failed to remediate the underlying memory pool attack surface, leaving the door open for poolslip to emerge in the updated codebase.

At minimum, exploitation crashes and restarts the worker process, producing a denial-of-service condition. More seriously, code execution is possible on systems where Address Space Layout Randomization (ASLR) is disabled or where an attacker can bypass it.

F5 notes there is no control-plane exposure; this is strictly a data-plane issue. The flaw carries a High/8.1 (CVSS v3.1) and Critical/9.2 (CVSS v4.0) rating.

Given NGINX’s ubiquity across reverse proxies, API gateways, and Kubernetes ingress controllers, the exposed footprint is enormous.

Affected Versions and Fixes

NGINX Open Source 0.1.17 through 1.30.1 and 1.31.0 are vulnerable; upgrade to 1.30.2 or 1.31.1. NGINX Plus users on R32–R36 should move to R36 P5 or R32 P7, and 37.x users to R37.0.1.1.

Downstream products, including NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF and DoS), NGINX Gateway Fabric, and NGINX Ingress Controller, inherit the vulnerable components and should be updated as fixes ship. The 0.x branch will not be fixed.

If immediate patching isn’t feasible, F5 recommends replacing unnamed captures with named captures in every affected rewrite directive. For example, rewrite $1 and $2 references as (?<user_id>...) and (?<section>...), referenced by name in the replacement string.

The flaw was credited to Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI. With proof-of-concept activity already circulating, organizations should patch without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.