A critical zero-day remote code execution (RCE) vulnerability, dubbed nginx-poolslip, has been publicly disclosed in NGINX version 1.31.0, the latest stable release of the world’s most widely deployed web server software.

The discovery, made by security researcher Vega of the NebSec security team, was announced via X (formerly Twitter) on May 21, 2026, sending shockwaves through the global security community.

The timing is particularly alarming, just weeks prior, administrators worldwide scrambled to patch CVE-2026-42945, a critical heap buffer overflow in NGINX’s ngx_http_rewrite_module carrying a CVSS v4 score of 9.2.

That flaw, embedded in the codebase since 2008, exposed an estimated 5.7 million internet-facing NGINX servers to denial-of-service attacks and conditional RCE.

F5 patched it in NGINX Open Source versions 1.31.0 and 1.30.1, the very release that nginx-poolslip now targets.

New NGINX 0-Day “nginx-poolslip”

nginx-poolslip exploits a flaw in NGINX’s internal memory pool handling mechanism, allowing unauthenticated attackers to achieve remote code execution and potentially compromise the entire system.

Most critically, the vulnerability functions as a bypass of Address Space Layout Randomization (ASLR), a foundational OS-level memory protection designed to thwart exactly this category of memory corruption exploit.

The attack surface traces back to an nginx-rift predecessor vulnerability, which affected earlier NGINX versions and was subsequently patched.

Introducing nginx-poolslip, a fresh RCE for the the latest nginx release 1.31.0.

nginx-rift has been patched, but our security agent Vega has found a new 0 day.

We will release the full technical writeup with ASLR bypass 30 days after the patch on https://t.co/LAhOC5UHrp. pic.twitter.com/4rqMp4uA4i

— Nebula Security (@nebusecurity) May 20, 2026

However, NebSec’s research confirms that the patch for nginx-rift failed to remediate the underlying memory pool attack surface, leaving the door open for nginx-poolslip to emerge in the updated codebase.

NGINX powers an estimated 30–40% of all global web servers, spanning high-traffic platforms, reverse proxies, load balancers, and API gateways.

Because nginx-poolslip specifically targets version 1.31.0, the patch was rushed to deployment by admins. Following CVE-2026-42945, organizations that acted diligently may now find themselves re-exposed to a fresh, unpatched threat.

According to CSN, no CVE identifier has been assigned, and no official patch from F5/NGINX is available.

NebSec is operating under a 30-day responsible disclosure timeline, withholding full technical details, including the complete ASLR bypass methodology, until an official fix is released.

Mitigations

Until an official patch is issued, administrators should implement the following interim measures:

• Monitor NebSec and F5 security advisories closely for patch availability
• Restrict public exposure of NGINX admin interfaces and deploy WAF rules to reduce the attack surface
• Ensure ASLR is enforced system-wide by setting /proc/sys/kernel/randomize_va_space to 2
• Audit NGINX configurations for rewrite, if, and set directives using unnamed PCRE capture groups — a known precondition for pool-level memory corruption
• Evaluate memory-safe alternatives such as Cloudflare Pingora for mission-critical infrastructure

Given NGINX’s outsized role in global web infrastructure, the security community is closely monitoring NebSec’s coordinated disclosure.

Organizations are strongly urged to subscribe to F5’s security bulletin feed and prepare emergency patching workflows in anticipation of an imminent fix.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post New NGINX 0-Day “nginx-poolslip” Exposes Millions to RCE appeared first on Cyber Security News.

Open source software giant GitHub confirmed a data breach this week involving the theft of thousands of repos. One threat actor — TeamPCP — took credit.

Vulnerability exploitation has overtaken stolen credentials as the most common way attackers gain initial access to target networks, according to the 2026 Verizon Data Breach Investigations Report. This is the first time credential theft has been knocked off the top spot in the report’s 19-year history, the company noted. Known initial access vectors over time (Source: Verizon 2026 DBIR) What is Verizon DBIR? Published annually, Verizon’s DBIR is based on the analysis of real-world data … More →

The post Verizon DBIR: Vulnerability exploitation is the dominant initial access vector appeared first on Help Net Security.

Hackers are increasingly abusing the legacy Microsoft HTML Application Host (MSHTA) utility to deliver commodity malware such as LummaStealer and Amatera. Despite being tied to Internet Explorer, which was retired in 2022, MSHTA remains default in Windows, making it an attractive Living-off-the-Land binary (LOLBIN) for stealthy attacks. MSHTA allows execution of VBScript and JavaScript from […]

The post Hackers Exploit MSHTA to Deploy LummaStealer and Amatera Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future. Read more in my article on the Hot for Security blog.

Verizon DBIR finds 31% of data breaches began with software flaws last year