A critical zero-day remote code execution (RCE) vulnerability, termed ‘nginx-poolslip,’ has been identified in NGINX version 1.31.0, the latest stable release of the widely used web server software. This discovery was made by security researcher Vega from the NebSec team and publicly disclosed on May 21, 2026.
NGINX, which powers approximately 30–40% of web servers globally, including high-traffic platforms, reverse proxies, load balancers, and API gateways, is now at risk due to this flaw. The vulnerability exploits NGINX’s internal memory pool handling mechanism, allowing unauthenticated attackers to execute arbitrary code remotely, potentially leading to full system compromise.
This development follows the recent patching of ‘nginx-rift’ (CVE-2026-42945), a critical heap buffer overflow in NGINX’s rewrite module that had been present since 2008. Despite the patch, NebSec’s research indicates that the underlying attack surface remains vulnerable, now exploited by nginx-poolslip.
As of now, no official patch has been released for nginx-poolslip, and no CVE identifier has been assigned. NebSec has committed to withholding the full technical details, including the Address Space Layout Randomization (ASLR) bypass, for 30 days to allow for responsible disclosure and patch development.
In the interim, administrators are advised to:
- Monitor NebSec and F5 security advisories for updates on patch availability.
- Restrict public exposure of NGINX administrative interfaces and implement Web Application Firewall (WAF) rules to limit the attack surface.
- Ensure ASLR is enabled system-wide as a partial mitigation measure.
- Audit NGINX configurations for directives using unnamed PCRE capture groups, which are known preconditions for related vulnerabilities.
Given NGINX’s extensive deployment across the internet, the emergence of nginx-poolslip underscores the critical need for vigilant security practices and prompt patch management. Organizations should stay alert for official patches and apply them immediately upon release to mitigate potential exploitation risks.
Source: Cyber Security News
