Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now

A newly disclosed flaw in one of the world's most widely deployed web servers is forcing administrators into another emergency patch cycle.

Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.

Technical Details

The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent "NGINX Rift" flaw (CVE-2026-42945). The condition arises when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^/((.\*))$ paired with a replacement string referencing multiple captures like $1$2 in a redirect or arguments context.

Under these conditions, an attacker sending crafted requests can trigger a heap buffer overflow (CWE-122) in the NGINX worker process. NGINX uses a dedicated memory pool for each request and releases it all at once when finished. Inside that pool structure, NGINX maintains a linked list of cleanup handlers. If an attacker can overwrite or redirect that handler pointer, pool destruction becomes a control-flow hijack opportunity.

Impact

• At minimum: exploitation crashes and restarts the worker process, producing a denial-of-service condition.
• At worst: code execution is possible on systems where ASLR is disabled or can be bypassed.

The flaw carries a High/8.1 (CVSS v3.1) and Critical/9.2 (CVSS v4.0) rating.

Affected Versions and Fixes

Mitigation

If immediate patching isn't feasible, F5 recommends replacing unnamed captures with named captures in every affected rewrite directive. For example, reference $1 and $2 as (?<user_id>...) and (?<section>...) by name in the replacement string.

With proof-of-concept activity already circulating, organizations should patch without delay.