Correctional releases nginx 1.31.1 and href=”https://github.com/nginx/nginx/releases/tag/release-1.30.2″>1.30.2, which fixed a critical vulnerability (CVE-2026-9256), which allows you to remotely achieve code execution with the rights of the nginx worker process by sending a specially crafted HTTP request. The researchers who identified the problem demonstrated a working exploit, which will be published along with a full description 30 days after the fix. The vulnerability was codenamed nginx-poolslip. The problem appears starting from nginx version 0.1.17. For angie and freenginx at the time of writing, no fixes have been published.
Like a similar problem fixed last week, the new vulnerability is caused by a buffer overflow in the ngx_http_rewrite_module module and appears in configurations with certain regular expressions in the “rewrite” directive. In this case, the vulnerability affects systems with overlapping wildcards (parentheses within parentheses) in a rewrite expression, such as “^/((.*))$” or “^/(test([123]))$”, combined with the use of multiple unnamed wildcards in the replacement string (for example, “$1$2”).
Additionally, note the release of njs 0.9.9, a module for integrating JavaScript interpreters into the nginx http server. The new version fixes vulnerability (CVE-2026-8711), appearingsince njs version 0.9.4. The problem is caused by a buffer overflow and occurs in configurations with the js_fetch_proxy directive containing nginx variables with data from the client request (for example, $http_*, $arg_* and $cookie_*), in combination with the use location handler that calls the ngx.fetch() function. The vulnerability can be exploited to execute code with the rights of the nginx worker process by sending a specially crafted HTTP request.