F5 has disclosed a critical security vulnerability in NGINX’s ngx_http_rewrite_module, tracked as CVE-2026-9256, that exposes millions of internet-facing web servers to denial-of-service (DoS) conditions and potential remote code execution (RCE).
Dubbed “Nginx-poolslip,” the flaw carries a CVSS v4.0 score of 9.2 (Critical) and requires no authentication to exploit.
The vulnerability stems from improper handling of overlapping PCRE (Perl-Compatible Regular Expression) capture groups within NGINX rewrite directives.
Critical NGINX Vulnerability
When configurations contain ambiguous regex patterns such as ^/((.*))$ paired with multiple backreferences like $1$2, the NGINX worker process performs unsafe memory operations, resulting in a heap-based buffer overflow (CWE-122).
Attackers can trigger the flaw by sending specially crafted HTTP requests, requiring no credentials or prior access. Successful exploitation can lead to:
- Worker process crashes and service restarts, causing persistent DoS
- Potential RCE in environments where ASLR is disabled or bypassed
- Service instability in high-traffic production deployments
While the vulnerability impacts only the data plane, leaving the control plane unaffected, its remote exploitability without authentication makes it a high-priority risk for any NGINX-powered infrastructure.
Affected Versions
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| NGINX Open Source | 1.0.0 – 1.30.1 | 1.30.2 / 1.31.1 |
| NGINX Plus | 37.0.0 | 37.0.1.1 |
NGINX-based products, including NGINX Ingress Controller, NGINX App Protect, and NGINX Gateway Fabric, are also impacted through shared underlying components. F5 products such as BIG-IP, BIG-IQ, and F5 Distributed Cloud services are not affected.
The flaw activates when rewrite rules use unnamed and overlapping capture groups during request processing. Consider this vulnerable configuration:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;The ambiguous grouping triggers out-of-bounds heap writes. The secure alternative replaces unnamed groups with named captures, eliminating the memory hazard:
rewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;This small configuration change closes the attack surface without functional disruption.
Mitigation
Security teams should act immediately, given NGINX’s dominant presence across global web infrastructure:
- Upgrade NGINX Open Source to 1.30.2 or 1.31.1 and NGINX Plus to 37.0.1.1
- Audit all rewrite rules for ambiguous or overlapping unnamed capture groups
- Replace unnamed captures with named alternatives across all configurations
- Enable ASLR and additional memory protection mitigations at the OS level
- Monitor access logs for abnormal patterns, repeated 500 errors, or frequent worker process restarts
The vulnerability was responsibly disclosed by Mufeed VH (Winfunc Research), Nebula Security, and Vexera AI, with full technical details published via F5’s security advisory portal.
Given NGINX’s role as the backbone of a significant portion of the internet’s web infrastructure, unpatched systems remain at serious risk of exploitation in the wild. Organizations are urged to treat this as a critical-priority patch cycle.
No Comment! Be the first one.