NGINX Exposed to Another Buffer Overflow Vulnerability Leading to Rewrite Execution (CVE-2026-9256)
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
NGINX Exposed to Another Buffer Overflow Vulnerability Leading to Rewrite Execution (CVE-2026-9256) — Rewrite Rules Need Immediate Repair and Investigation
A heap buffer overflow in ngx_http_rewrite_module enables unauthenticated remote attackers to cause DoS or, under specific conditions, achieve code execution. All NGINX deployments using rewrite directives must upgrade immediately.
NGINX is a mainstream web server, reverse proxy, and load balancing component, widely deployed in public network entry points, business gateways, API proxies, static resource services, and container entry layers. CVE-2026-9256 — also referred to in the community as “nginx-poolslip” — is a heap buffer overflow vulnerability in the ngx_http_rewrite_module.
This vulnerability is triggered when a rewrite directive uses a regex pattern with distinct, overlapping PCRE captures — for example, ^/((.*))$ — and a replacement string that references multiple such captures, such as $1$2, in a redirect or arguments context. Under these conditions, NGINX underestimates the length of the output after URI escaping, leading to a heap overflow in the worker process.
CVE-2026-9256 is a distinct vulnerability from the previously identified CVE-2026-42945, though both are officially classified as buffer overflow issues within the ngx_http_rewrite_module. Their triggering conditions and remediation baselines differ significantly. Environments upgraded to 1.31.0 / 1.30.1 to address CVE-2026-42945 remain vulnerable to CVE-2026-9256 and require further investigation and re-upgrading.
| Affected Component | Affected Versions | Fixed Version |
|---|---|---|
| NGINX Open Source (mainline) | 0.1.17 – 1.31.0 | 1.31.1 |
| NGINX Open Source (stable) | 0.1.17 – 1.30.1 | 1.30.2 |
| NGINX Plus R37 | 37.0 | R37 P1 (37.0.1.1) |
| NGINX Plus R36 | R36 < P5 | R36 P5 |
| NGINX Plus R32 | R32 < P7 | R32 P7 |
CVE-2026-9256 is not equivalent to “all NGINX public-facing services can be directly RCE’d without conditions.” A more accurate characterization: this vulnerability has the preconditions for remote triggering, depends on a specific rewrite configuration, can reliably cause DoS, and carries a realistic path toward RCE under conditions where ASLR is disabled or bypassed.
Triggering conditions require all of the following to be present simultaneously:
- An affected NGINX version is running
rewritedirectives are present in the configuration- Rewrite regular expressions contain nested or overlapping PCRE capture groups
- The replacement target references multiple capture results (e.g.,
$1$2) - Rewrite results enter redirect or query-string replacement scenarios
- An attacker can send crafted HTTP requests to the affected location
The exploit chain proceeds as follows: an attacker sends a request carrying a large volume of URI-escaped characters, triggering a length calculation error during rewrite processing. This causes a heap overflow in the worker process. The technique — described as a controlled pointer “slip” across adjacent linked structures in the NGINX memory pool — allows the attacker to overwrite cleanup handler pointers, turning pool destruction into a potential control-flow hijack.
A small overflow may produce heap data leakage visible in response headers. A large overflow crashes the worker process. Combined with leaked information, controlled writes, and NGINX memory pool allocation characteristics, further exploitation toward RCE is technically feasible — particularly on systems where ASLR is disabled or can be bypassed.
NGINX assets carry disproportionately high impact. They are frequently located at public network entry points and business boundaries, with tens of millions of publicly reachable instances on the internet. Even though exploitation depends on a specific rewrite configuration, the attack surface warrants immediate prioritization across public-facing reverse proxies, web gateways, API gateways, and multi-tenant hosting entry points.
The two highest-risk environment categories are:
Environments upgraded to 1.31.0 or 1.30.1 for CVE-2026-42945 but not yet to 1.31.1 or 1.30.2 remain exposed to CVE-2026-9256.
Public NGINX environments with historically accumulated rewrite rules — legacy redirects, multi-tenant site rules, gateway compatibility rules — may contain triggerable configurations that are not obvious upon first audit.
NGINX acting as a public reverse proxy or unified entry directly handling external traffic carries the highest blast radius if exploited.
Multiple sites sharing the same NGINX environment with configurations accumulated by multiple business teams over time — without centralized rule auditing — are at elevated risk of containing exploitable patterns.
-
Verify the actual running NGINX version. Confirm it is not lower than
1.31.1(mainline) or1.30.2(stable). Check the running binary version, not just the installed package version. -
Do not assume
1.31.0or1.30.1is the final patch version for CVE-2026-9256 — these only addressed CVE-2026-42945. -
Audit all
rewritedirectives. Focus on rules containing nested or overlapping capture groups, repeated references to$1/$2/ … , redirect destinations, and parameter concatenation patterns. - Prioritize upgrading NGINX on all public network entry points, reverse proxies, API gateways, and multi-tenant web hosting entry points first.
- If an immediate upgrade is not possible, temporarily consolidate high-risk rewrite rules to eliminate complex nested capture groups and duplicate capture references from externally reachable paths.
-
Review access and error logs. Pay attention to abnormally long URIs, requests with excessive URI-escaped characters, abnormal
302response patterns, repeated workersignal 11(SIGSEGV) crashes, and short-burst connection resets. -
For NGINX Plus environments, upgrade using F5’s tooling: target
R37 P1,R36 P5, andR32 P7for the respective branches. - After upgrading, reload the configuration and verify the running binary version matches the patched release — not just the installation package version.
