Skip to main content

NGINX Rift and PoolSlip

· 2 min read
Skpr Platform Team
Skpr Platform Team
Platform Engineering

Overview

Two critical vulnerabilities have recently been disclosed in NGINX's ngx_http_rewrite_module. We have been actively monitoring both issues since disclosure. Our configuration is not susceptible to either vulnerability. As a precaution, we have updated our base NGINX images to the latest patched version.

The vulnerabilities

NGINX Rift — CVE-2026-42945 (CVSS 9.2 Critical)

Disclosed on 13 May 2026, NGINX Rift is a heap buffer overflow in NGINX's ngx_http_rewrite_module triggered when the rewrite, if, or set directive is used with an unnamed expression (such as $1 or $2) to replace strings after a question mark. A single crafted HTTP request from an unauthenticated remote attacker can crash the worker process (DoS) or, in some conditions, achieve remote code execution. The bug had been present in the codebase since NGINX 0.6.27 in 2008 and affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36.

NGINX PoolSlip — CVE-2026-9256 (CVSS 9.2 Critical)

Disclosed on 22 May 2026, just nine days after Rift, PoolSlip is a second heap overflow in the same rewrite module. It is triggered when a rewrite directive uses a regex pattern with distinct, overlapping PCRE capture groups, such as ^/((.*))$ paired with a replacement string referencing multiple captures, like $1$2. The crafted request causes a controlled pointer "slip" across adjacent linked structures within the NGINX memory pool, allowing the attacker to overwrite cleanup handler pointers, again enabling DoS and potential RCE. Affected versions are NGINX Open Source 0.1.17 through 1.30.1 and 1.31.0.

Why our configuration is safe

Both vulnerabilities require specific patterns in rewrite / set / if directives, unnamed capture groups for Rift, and overlapping PCRE capture groups with multi-capture backreferences for PoolSlip. Our base NGINX configuration does not use these patterns, so neither exploit is reachable against our deployed servers.

What we changed

Out of an abundance of caution, we have updated our base NGINX images to the latest upstream release, which incorporates the patches for both CVE-2026-42945 and CVE-2026-9256. No action is required from customers; the updated images will roll out as part of the normal deployment cycle.