CVE-2026-9256 - NGINX ngx_http_rewrite_module vulnerability

[Starburst-David]

CVE ID: CVE-2026-9256
Published: May 22, 2026
Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Severity: 9.2 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more...

https://cvefeed.io/vuln/detail/CVE-2026-9256

[Starburst-David]

Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!

A newly disclosed flaw in one of the world’s most widely deployed web servers is forcing administrators into another emergency patch cycle.

Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.

The vulnerability resides in the ngx_http_rewrite_module, the same component implicated in the recent “NGINX Rift” flaw (CVE-2026-42945).

More information:
https://cybersecuritynews.com/nginx-poo ... erability/