nginx-poolslip: New Zero-Day Bypasses ASLR for RCE, No Patch

A new zero-day vulnerability dubbed nginx-poolslip has been publicly disclosed in NGINX 1.31.0, the latest stable release of the world's most widely deployed web server software. The flaw enables remote code execution by bypassing Address Space Layout Randomization (ASLR)—and there's no patch yet.

Security researcher Vega from the NebSec security team announced the vulnerability on X (formerly Twitter) on May 20, 2026. The timing is particularly concerning: organizations that rushed to update to NGINX 1.31.0 to address the nginx-rift vulnerability we covered last week may now find themselves exposed to this new threat.

What Makes nginx-poolslip Dangerous

nginx-poolslip exploits a flaw in NGINX's internal memory pool handling mechanism. Unlike nginx-rift, which targeted a heap buffer overflow in the rewrite module, this vulnerability undermines ASLR—a foundational OS-level memory protection designed to randomize memory addresses and prevent exploitation of memory corruption bugs.

When ASLR is defeated, attackers can reliably predict where code and data reside in memory. This transforms what might be a probabilistic crash into a deterministic code execution path.

According to NebSec's disclosure, the vulnerability allows unauthenticated remote attackers to:

1. Bypass ASLR protections across major Linux distributions
2. Achieve arbitrary code execution on the underlying server
3. Potentially compromise entire systems without prior authentication

The researchers confirmed that the nginx-rift patch failed to fully remediate the underlying memory pool attack surface, leaving the door open for nginx-poolslip to emerge in the updated codebase.

Scope of Exposure

NGINX powers approximately 34% of all websites globally, according to W3Techs. The server software handles traffic for millions of domains, from small personal blogs to enterprise infrastructure at organizations including Netflix, Cloudflare, and WordPress.com.

While the exact number of vulnerable servers remains unknown, any deployment running NGINX 1.31.0 or 1.30.1 (the versions patched for nginx-rift) should be considered at risk. Older versions may be affected as well, though NebSec has not yet released detailed version ranges.

No CVE, No Patch—What to Do Now

As of this writing, no CVE identifier has been assigned to nginx-poolslip. F5, which maintains the NGINX project, has not released an official patch or security advisory.

NebSec is following a 30-day responsible disclosure timeline, withholding the full technical writeup—including ASLR bypass details—until a patch becomes available. This gives F5 time to develop and distribute fixes, but it also means defenders are operating with limited technical information.

Interim Mitigations

Until a patch is available, organizations should consider:

• Enable additional hardening — Stack canaries, Control Flow Guard (CFG), and other compiler-level protections can raise the exploitation bar
• Network segmentation — Limit NGINX exposure to trusted networks where possible
• Web Application Firewall (WAF) — Deploy WAF rules to filter potentially malicious requests, though effectiveness against memory corruption exploits is limited
• Monitor for exploitation attempts — Watch for unusual crashes, memory errors, or unexpected process behavior in NGINX worker processes

Why This Pattern Keeps Repeating

nginx-poolslip is the second major NGINX vulnerability disclosed in 10 days. The nginx-rift flaw (CVE-2026-42945) stemmed from an 18-year-old bug in the rewrite module—code that had been shipping since 2006. That vulnerability was already being exploited in the wild before patches arrived.

The pattern reflects a broader problem: foundational internet infrastructure often runs on code written before modern security practices became standard. When researchers turn their attention to these codebases, they tend to find things. Memory pool handling, URL parsing, regex processing—all areas where complexity meets performance pressure, and security vulnerabilities accumulate.

For deeper context on how supply chain and infrastructure vulnerabilities cascade through organizations, see our coverage of the TanStack npm compromise and the subsequent Grafana breach.

What Comes Next

F5's security team is presumably working on a fix, though the company hasn't publicly acknowledged nginx-poolslip yet. The 30-day disclosure window suggests technical details could become public around June 20, 2026, regardless of patch status.

Organizations running NGINX in production should subscribe to NGINX's security advisories and monitor for updates. Given the severity—remote code execution with ASLR bypass—expect this to receive a critical CVSS rating once a CVE is assigned.

The lack of authentication requirements and the ubiquity of NGINX make this a high-priority issue. Don't wait for the CVE to start planning your response.