CVE-2026-9256

Published May 22, 2026

Last updated 6 days ago

CVSS critical 9.2

Overview

Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Source
f5sirt@f5.com
NVD status
Modified
Products
nginx_open_source, nginx_plus

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.2
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

f5sirt@f5.com
CWE-122

Social media

Hype score
Not currently trending

  1. 🚨 NGINX sürümleriniz güncel değilse güncelleyin; Rift (CVE-2026-42945) güvenlik açığı 1.30.0 ve öncesini etkiliyor. PoolSlip (CVE-2026-9256) güvenlik açığı 1.31.0 ve öncesini etkiliyor. Patchlenmiş sürümler: Nginx Open Source için 1.30.2 (stable) ya da

    @ridvanyagli

    8 Jun 2026

    206 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2026-9256: CVE-2026-9256 — NGINX heap buffer overflow (CVSS 9.2 Critical) Overlapping PCRE captures in rewrite → heap overflow + heap info leak. Unauthenticated, remote. DoS + RCE path confirmed. Fixed: nginx 1.31.1 / 1.30.2 (9.2 → 1.31.1)

    @lyrie_ai

    8 Jun 2026

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Nginx の脆弱性 nginx-poolslip CVE-2026-9256 が FIX:DoS とリモートコード実行の恐れ https://t.co/1FFS7FTVID NGINX の脆弱性 CVE-2026-9256 (nginx-poolslip) は、 設定ファイル内の rewrite ディレクティブにおいて、

    @iototsecnews

    29 May 2026

    80 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. 🚨 BREAKING: 1/3 of the internet is under active attack. Two critical zero-days (CVE-2026-42945 & CVE-2026-9256) just hit NGINX. The craziest part? The first bug hid in the codebase for 18 YEARS before an AI audit found it. Here is why this is a nightmare 🧵👇 https:/

    @da7rkx0

    27 May 2026

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. CVE-2026-9256: NGINX Heap Overflow Enables RCE on Web Servers https://t.co/71A1KA8wKa #Cybertrending #Cybernewsdaily #Cybersecurity

    @CyberInsights1

    25 May 2026

    3 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2026-9256: NGINX Heap Overflow Enables RCE on Web Servers https://t.co/CzBODNWHSV #Cybertrending #Cybernewsdaily #Cybersecurity

    @TheCyberDef

    24 May 2026

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2026-9256: NGINX Heap Overflow Enables RCE on Web Servers https://t.co/N17umRuu7B #Cybertrending #Cybernewsdaily #Cybersecurity

    @unknownmatter19

    24 May 2026

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Top 5 Trending CVEs: 1 - CVE-2026-9082 2 - CVE-2026-9256 3 - CVE-2026-44578 4 - CVE-2026-42897 5 - CVE-2024-23265 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    24 May 2026

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now! https://t.co/NgT2TKRTyB "Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip,…can be triggered by a remote, unauthenticated attacker over plain HTTP."

    @catnap707

    24 May 2026

    98 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. curl -v "http://TARGET/$(python3 -c "print('+'*500, end='')")" nice test for CVE-2026-9256 aka nginx-poolslip

    @MegaManSec

    23 May 2026

    89 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. NEW THREAT INTEL: CVE-2026-9256 Nginx-poolslip - Pre-auth heap overflow, bypasses CVE-2026-42945 patch. 9 detections, 15 IOCs. https://t.co/HThqQ69S36 #ThreatIntel #NGINX https://t.co/y7pFDfXADo

    @threadlinqs

    23 May 2026

    78 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2026-9256見てる。結構条件厳しめかなぁ。

    @k_kinzal

    23 May 2026

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When content is served or proxied through a location block with both source_charset utf-8; and a charset directive (for example, charset koi8-r;) configured, remote, unauthenticated attackers can send requests (in conjunction with conditions beyond their control) to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-48142
  2. A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42946
  3. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42945
  4. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42934
  5. When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42926

References

Sources include official advisories and independent security research.