CVE-2026-9256, known as Poolslip, is a heap buffer overflow in NGINX's ngx_http_rewrite_module affecting versions 0.1.17 through 1.31.0. CVSS 4.0 score: 9.2 (Critical). The fix is in NGINX Open Source 1.30.2 and 1.31.1. If you applied the May patch for CVE-2026-42945 (Rift) and stopped there, you are still exposed.
How it works
The vulnerability lives in how ngx_http_rewrite_module handles PCRE captures in a redirect context. When a rewrite directive uses overlapping PCRE capture groups in the replacement string, the module miscalculates the required buffer size. The result is a heap buffer overflow in the NGINX worker process.
The baseline impact is a forced worker restart -- reliable, trivially reproducible denial of service. On systems where ASLR is disabled, the overflow becomes a viable remote code execution primitive. No authentication is required. A single crafted HTTP request is sufficient to trigger the condition.
Why "I patched in May" is not enough
This is the critical point. In May 2026, NGINX shipped fixes for a different rewrite module bug: CVE-2026-42945 (Rift), a heap buffer overflow triggered by unnamed PCRE captures combined with URI escaping. That fix landed in versions 1.30.1 and 1.31.0.
Poolslip is a separate advisory, a distinct code path, a different overflow condition. The versions that fixed Rift -- 1.30.1 and 1.31.0 -- do not fix Poolslip. Upgrading from 1.30.0 to 1.30.1 last month moved you off the Rift exposure and onto a version that still carries Poolslip. The only versions that address both are 1.30.2 and 1.31.1.
If your change log reads "upgraded NGINX, patched for Rift," that is not a completed task. It is a task that created a false sense of completion.
Affected and fixed versions
Open Source NGINX:
| Status | Versions |
|---|---|
| Affected | 0.1.17 through 1.31.0 (inclusive) |
| Fixed | 1.30.2, 1.31.1 |
Note that 1.30.1 and 1.31.0 are in the affected range. They fix Rift. They do not fix Poolslip.
NGINX Plus: F5 has not published exact Plus patch version numbers in the public advisory at time of writing. Check your F5 account portal or the NGINX security advisories page for current Plus guidance.
Mitigation if you cannot patch immediately
There is no configuration-level workaround that preserves full rewrite functionality. The practical options are:
- Patch. Move to 1.30.2 or 1.31.1. This is the only complete fix.
- Audit and restrict rewrite rules. Identify
rewritedirectives that use overlapping PCRE captures in redirect replacement strings. If those rules can be rewritten using named capture groups or simplified patterns without overlapping captures, that reduces the attack surface without eliminating it entirely. - Restrict access to rewrite-triggered endpoints. If the vulnerable rewrite rules apply only to certain location blocks, adding IP allow-listing or disabling those endpoints temporarily limits exposure at the cost of functionality.
None of these are substitutes for upgrading. They buy time, not safety.