Summary
NGINX has disclosed a critical heap buffer overflow vulnerability (CVE-2026-9256) in its rewrite module that allows unauthenticated attackers to cause denial-of-service or execute arbitrary code. The flaw, known as nginx-poolslip, affects both Open Source and Plus versions and requires immediate patching or configuration changes.
Take Action:
If you're running NGINX (Open Source or Plus), upgrade immediately to a patched version (1.30.2, 1.31.1, NGINX Plus R36 P5, R32 P7, or R37.0.1.1). If you can't patch right away, edit your config files to replace unnamed numeric capture groups (like $1, $2) in rewrite directives with named captures (like $user_id) as a temporary workaround.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)