Millionen NGINX-Server betroffen: Kritischer 0-Day-Schwachstelle „nginx-poolslip

Just weeks ago, the cybersecurity community was addressing CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.

The vulnerability, present in the NGINX codebase since 2008, exposed approximately 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional remote code execution risks. F5 patched the flaw in NGINX Open Source 1.31.0 and 1.30.1, prompting administrators worldwide to rush emergency upgrades.

NGINX 0-Day RCE “nginx-poolslip” nginx-poolslip is a critical RCE vulnerability that targets NGINX’s internal memory pool handling mechanism. The flaw enables attackers to achieve remote code execution on affected servers, potentially granting full system compromise without prior authentication.

Sicherheitslage und Risiko

The vulnerability is described as a bypass of Address Space Layout Randomization (ASLR), a core OS-level memory protection technique designed to prevent exploitation of memory corruption bugs. This follows a previously patched vulnerability known as nginx-rift, which affected earlier NGINX versions and has since been remediated.

However, NebSec’s research confirms that the patch for nginx-rift did not address the underlying attack surface that nginx-poolslip now exploits. NGINX powers an estimated 30–40% of all web servers globally, including high-traffic platforms, reverse proxies, load balancers, and API gateways.

The fact that nginx-poolslip targets the latest release, version 1.31.0, means organizations that diligently updated to avoid nginx-rift may now be exposed to this new threat. At the time of publication, no official patch from the NGINX project has been released.

Sicherheitslage und Risiko

NebSec has followed a 30-day responsible disclosure timeline, committing to withholding the full technical write-up, including ASLR bypass details, until after an official patch is available. As of this writing, no CVE identifier has been assigned, and no official patch from F5/NGINX is available for nginx-poolslip.

Mitigations Until an official patch is issued, administrators should consider the following interim measures: Monitor NebuSec and F5 security advisories for patch availability Restrict public exposure of NGINX admin interfaces and limit attack surface via WAF rules Enable ASLR system-wide ( /proc/sys/kernel/randomize_va_space set to 2 ) as a partial mitigation Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for related pool-level corruption Evaluate memory-safe alternatives such as Cloudflare Pingora for critical infrastructure Given that NGINX powers a significant of global web infrastructure, the security community is closely watching NebUC’s coordinated disclosure.