F5 has rushed out a security advisory for a second critical heap overflow vulnerability in NGINX's URL rewriting engine this month — and this one, nicknamed nginx-poolslip, allows an unauthenticated remote attacker to crash your web server or execute arbitrary code without a single login credential.
Tracked as CVE-2026-9256 and carrying a CVSS v4.0 score of 9.2 (Critical), the flaw was publicly teased by Nebula Security on May 20 and formally disclosed by F5 on May 22.
It sits inside ngx_http_rewrite_module — the same component that was at the center of the NGINX Rift flaw (CVE-2026-42945) patched just nine days earlier. The vulnerability affects both NGINX Plus and NGINX Open Source and can be triggered by a remote, unauthenticated attacker over plain HTTP.
What Goes Wrong
The bug is rooted in NGINX's handling of a specific regular expression pattern in rewrite directives. The vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping PCRE (Perl-Compatible Regular Expression) captures — for example, ^/((.*))$ — paired with a replacement string that references multiple such captures, like $1$2, in a redirect or arguments context.
When an attacker sends a specially crafted HTTP request into such a configuration, the NGINX worker process suffers a heap buffer overflow (CWE-122), causing it to crash and restart. DirectAdmin
The damage doesn't stop at a service disruption. Attackers can also execute code on systems with Address Space Layout Randomization (ASLR) disabled, or when they can bypass ASLR entirely — a realistic scenario in some legacy or improperly hardened deployments. CVE
Who Is Exposed
The scope is substantial. NGINX Open Source versions 0.1.17 through 1.31.0 are vulnerable, while 1.31.1 and 1.30.2 carry the fix. NGINX Plus releases R32 through R37.0.0 are affected; fixes land in R37.0.1.1, R36 P5, and R32 P7. NGINX Instance Manager versions 2.17.0 to 2.22.0 are also flagged, though no fix has been released for that product line yet. nginx
Notably, F5 BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud Services are all listed as not vulnerable. The exposure is squarely in the NGINX software layer itself.
Second RCE in NGINX
CVE-2026-9256 lands barely a week after NGINX Rift (CVE-2026-42945) — a separate heap overflow in the same rewrite module that had been quietly lurking in the codebase for 18 years.
Two critical bugs in the same component within the same month are an uncomfortable signal that the rewrite engine has been under-scrutinised for a long time. F5 credited the discovery of nginx-poolslip to Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI for coordinated disclosure.
What You Should Do Right Now
Upgrading is the definitive fix. If patching immediately isn't an option, F5 offers a practical configuration-level mitigation: replace unnamed PCRE capture groups with named captures in every affected rewrite directive. For example, swap:
rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;
…for:
rrewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$ /profile.php?id=$user_id&tab=$section last;
That single configuration change neutralises the vulnerable code path. Given that NGINX powers roughly one-third of the world's web servers, administrators should treat this as a priority patch rather than a scheduled maintenance item.