Organizations that just updated NGINX to patch one vulnerability now face a second, unpatched remote code execution flaw in the same release — one capable of bypassing a core operating system memory protection technique that most exploits depend on defeating separately.
nginx-poolslip: An Unpatched RCE in NGINX 1.31.0
NebSec security researcher Vega publicly disclosed nginx-poolslip on May 21, 2026, via X. The vulnerability affects NGINX 1.31.0 — the current latest stable release — and resides in the web server’s internal memory pool handling mechanism. No CVE has been assigned, and no official patch is available as of publication.
The breadth of potential exposure is significant. NGINX powers an estimated 30 to 40 percent of all web servers globally, placing the attack surface at tens of millions of deployed instances, including production web infrastructure, reverse proxies, load balancers, and API gateways.
ASLR Bypass Built Into the Exploit Chain
What distinguishes nginx-poolslip from many memory corruption vulnerabilities is that it bypasses Address Space Layout Randomization — ASLR — a core operating system memory protection technique. Normally, defeating ASLR requires a separate exploit primitive, making reliable exploitation meaningfully harder. nginx-poolslip eliminates that requirement, making reliable exploitation feasible on unpatched systems without needing a standalone bypass.
Responsible Disclosure Timeline Under Vega’s Protocol
Vega committed to withholding the full technical write-up and ASLR bypass details for 30 days following the release of an official patch. That 30-day clock has not started because no patch exists yet. The vulnerability was publicly disclosed on X, which means the existence of the flaw and its general characteristics are known, but the technical specifics that would allow direct weaponization are being held back pending vendor remediation.
A Troubled Release: NGINX 1.31.0 and the nginx-rift Connection
The timing of this disclosure adds a compounding layer of difficulty for administrators. NGINX 1.31.0 was released specifically to patch the previously disclosed nginx-rift vulnerability, tracked as CVE-2026-42945. Organizations that applied the nginx-rift patch by upgrading to 1.31.0 now find themselves running the exact version targeted by nginx-poolslip. The two vulnerabilities are distinct flaws — nginx-poolslip is not a bypass of the nginx-rift patch, but a separate vulnerability present in the same release.
That sequence — patch one flaw, land on a version with another — is a recognized risk in any rapidly patched software ecosystem, but the scale of NGINX’s global deployment amplifies the operational impact. Administrators currently have no vendor-supplied patch to apply and no CVE assignment to track through vulnerability management workflows. Until an official fix is released and Vega’s 30-day post-patch window closes, the full technical details of the ASLR bypass remain withheld.
