Critical Nginx Vulnerability Demands Immediate Patching

Critical Nginx Vulnerability Demands Immediate Patching

Posted on By CWS

A significant security flaw has been identified in Nginx, one of the most prevalent web servers globally, urging administrators to urgently apply patches. Known as CVE-2026-9256 or ‘nginx-poolslip,’ this vulnerability impacts both NGINX Plus and NGINX Open Source, potentially allowing remote attackers to execute malicious actions over plain HTTP.

Understanding the Nginx-poolslip Vulnerability

The issue is located in the ngx_http_rewrite_module, which is also responsible for the previous ‘NGINX Rift’ flaw (CVE-2026-42945). As per an advisory from F5, this vulnerability occurs when a rewrite directive employs a regex pattern with overlapping PCRE capture groups, such as ^/((.*))$, combined with a replacement string like $1$2 in settings for redirects or arguments.

Attackers can exploit this by crafting requests that cause a heap buffer overflow in the NGINX worker process. Each request uses a dedicated memory pool, which NGINX clears upon completion. If an attacker manipulates the linked list of cleanup handlers in the pool, it may lead to a hijack of control flow.

Exploitation and Risks

Unlike the Rift bug, which was due to a buffer-size miscalculation, poolslip involves a controlled pointer slip across linked structures in the same pool. The previous patch did not address the memory pool’s vulnerability, allowing poolslip to affect even updated software versions.

Exploitation of this flaw can cause the worker process to crash and restart, resulting in a denial of service. More critically, it could lead to code execution if Address Space Layout Randomization (ASLR) is disabled or bypassed. F5 emphasizes that this is strictly a data-plane issue, with no exposure to the control plane, carrying a CVSS rating of High/8.1 to Critical/9.2.

Versions Affected and Recommended Actions

The flaw affects NGINX Open Source versions from 0.1.17 to 1.30.1 and 1.31.0, urging upgrades to 1.30.2 or 1.31.1. NGINX Plus users should update to R36 P5 or R32 P7, while 37.x users should move to R37.0.1.1. Related products like NGINX Instance Manager and F5 WAF for NGINX also inherit this vulnerability and should be updated accordingly.

Should immediate patching be impractical, F5 advises modifying affected rewrite directives by replacing unnamed captures with named ones. This involves using (?…) instead of $1 and $2, with references by name in replacement strings.

Call to Action

Discovered by Mufeed VH from Winfunc Research, Nebula Security, and Vexera AI, with proof-of-concept exploits already in circulation, organizations are urged to patch their systems without delay to mitigate this risk.

Stay informed by following us on Google News, LinkedIn, and X for more updates.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

SonicWall SSLVPN Under Attack Following the Breach of All Customers’ Firewall Backups SonicWall SSLVPN Under Attack Following the Breach of All Customers’ Firewall Backups Cyber Security News
CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks Cyber Security News
MS-SQL Servers Under Persistent Threat by ICE Cloud Scanner MS-SQL Servers Under Persistent Threat by ICE Cloud Scanner Cyber Security News
Critical Argument Injection Vulnerability in Popular AI Agents Let Attackers Execute Remote Code Critical Argument Injection Vulnerability in Popular AI Agents Let Attackers Execute Remote Code Cyber Security News
Scans From Hacked Cisco Small Business Routers, Linksys and Araknis are at the Raise Scans From Hacked Cisco Small Business Routers, Linksys and Araknis are at the Raise Cyber Security News
Noodlophile Malware Uses Fake Jobs to Evade Security Noodlophile Malware Uses Fake Jobs to Evade Security Cyber Security News