nginx-poolslip Zero-Day — NGINX RCE Vulnerability Guide for Homelabs

On May 21, 2026, security researchers at Nebula Security (NebSec) disclosed nginx-poolslip — an unpatched remote code execution zero-day affecting NGINX 1.31.0, the latest stable release. This is not the same flaw as CVE-2026-42945 (Rift) patched eight days earlier. Poolslip bypasses that patch entirely and targets a separate code path in NGINX’s memory pool allocator.

If you run NGINX in your homelab — as a reverse proxy, API gateway, or load balancer — this advisory is for you. As of May 22, 2026, there is no official patch. This guide will help you determine your exposure, understand the risk, and apply practical mitigations until a fix lands.

What Is nginx-poolslip?

nginx-poolslip is a remote code execution vulnerability in NGINX’s internal memory pool (ngx_pool_t) handling. The flaw allows an attacker to corrupt the cleanup handler linked list inside a request-scoped memory pool. When NGINX destroys the pool at the end of the request lifecycle, it executes the corrupted function pointer — giving the attacker control of execution flow.

Key facts:

The vulnerability exploits dynamic variable parsing in set, map, geo, and upstream configuration directives — a path the Rift patch did not cover.

Are You Affected?

If you run NGINX in your homelab, your risk depends on:

1. Which NGINX version you are running
2. Whether your instance is internet-facing
3. Which configuration directives you use

Check Your NGINX Version

If NGINX is installed directly on the host:

1
2

nginx -v
# nginx version: nginx/1.31.0  ← VULNERABLE

If running in Docker:

1
2
3

docker exec <container-name> nginx -v
# or
docker run --rm nginx:latest nginx -v

Check your Docker image tags:

1

docker images | grep nginx

Vulnerable images: Any NGINX image tagged 1.31.0, latest, or alpine pulled after the 1.31.0 release date (approximately mid-May 2026).

Safe images: NGINX 1.30.x, 1.26.x, or any pinned version below 1.31.0. Default images pinned to 1.27.x (like Nginx Proxy Manager) are not affected unless you manually upgraded the base image to 1.31.0.

Check if You Use Affected Directives

If using set, map, geo, or upstream blocks in your NGINX config, you are in the attack surface. Check your config:

1

grep -rn '^\s*\(set\|map\|geo\|upstream\)' /etc/nginx/

Why This Matters for Homelabs

Most homelabs run NGINX as a reverse proxy. The vulnerability is especially concerning because:

Reverse proxies are exposed. If you publish services via NGINX with a public DNS record or port forward, an attacker can reach your NGINX listener without any authentication.

No patch exists. Unlike a typical CVE where you can run apt upgrade and move on, poolslip has no fix. You must rely on mitigations.

Configuration-based trigger. The vulnerability triggers through common rewrite and variable expansion paths. If you use NGINX with Traefik-like dynamic configs, or hand-crafted set/map rules for routing, you are more exposed.

Docker deployments that pull latest. A surprising number of homelab compose files use image: nginx:latest. If Docker pulled the 1.31.0 image in the past week, you are running a vulnerable binary.

Practical Mitigations

Until F5 releases a patch, use these strategies to reduce risk.

1. Pin Your NGINX Docker Image to 1.26.x or 1.30.x

The simplest mitigation: downgrade to a known-safe version.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# docker-compose.yml — pin to safe version
services:
  nginx:
    # Use 1.26.x (long-term stable) or 1.30.x (latest safe release)
    image: nginx:1.26.3-alpine
    # NOT: nginx:latest, nginx:1.31.0, nginx:alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./conf.d:/etc/nginx/conf.d:ro
      - ./ssl:/etc/nginx/ssl:ro
    restart: unless-stopped

Then recreate the container:

1
2
3
4

docker compose pull nginx
docker compose up -d nginx
docker exec <container> nginx -v
# Confirm: nginx version: nginx/1.26.3

2. Check and Update Nginx Proxy Manager

If you use Nginx Proxy Manager, check which base image it ships:

1

docker exec nginx-proxy-manager nginx -v

NPM typically pins to NGINX 1.27.x, which is not affected. If you are on a recent NPM build that updated to 1.31.0, roll back to a prior tag.

3. Limit Exposure with Firewall Rules

If you cannot downgrade immediately, restrict access:

MikroTik (RouterOS) — allow only trusted source IPs:

/ip firewall filter add chain=input protocol=tcp dst-port=80,443 \
    src-address-list=trusted-hosts action=accept place-before=1
/ip firewall filter add chain=input protocol=tcp dst-port=80,443 \
    action=drop

Linux / nftables — rate limit and restrict:

1
2
3

# Limit connections and block suspicious patterns
nft add rule inet filter input tcp dport 443 \
    meter http-meter { ip saddr limit rate 10/second burst 20 packets } accept

4. Deploy a WAF Layer

Add a Web Application Firewall in front of NGINX. CrowdSec’s AppSec component can act as a WAF and block exploit attempts:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# docker-compose.yml — CrowdSec sidecar
services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    volumes:
      - ./crowdsec/db:/var/lib/crowdsec/data
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
    environment:
      - COLLECTIONS=crowdsecurity/nginx

  crowdsec-waf:
    image: crowdsecurity/appsec:latest
    ports:
      - "7422:7422"
    depends_on:
      - crowdsec

Configure NGINX to forward traffic through the WAF proxy for inspection before reaching the vulnerable parser.

5. Enable ASLR (Already On, But Verify)

ASLR is standard on modern Linux but verify it is active:

1
2
3

cat /proc/sys/kernel/randomize_va_space
# Must return 2 (full randomization)
# 0 = disabled, 1 = partial, 2 = full

If it returns anything other than 2, enable it:

1
2
3

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
# Make permanent:
echo 'kernel.randomize_va_space = 2' | sudo tee /etc/sysctl.d/01-aslr.conf

Note: ASLR is not a complete mitigation — poolslip includes a memory disclosure primitive that leaks ASLR layout. But it adds a layer of complexity for the attacker.

6. Audit Your NGINX Configuration

Remove or minimize use of set, map, geo, and upstream with dynamic variable expansion:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Instead of dynamic set:
set $backend "http://${service_name}:${port}";
proxy_pass $backend;

# Consider static upstream blocks:
upstream backend {
    server app1:8080;
    server app2:8080;
}
server {
    location / {
        proxy_pass http://backend;
    }
}

7. Consider a Temporary Proxy Swap

If your homelab cannot tolerate any NGINX risk, swap to an alternative reverse proxy temporarily:

• Caddy — Simple, HTTPS by default, no memory pool attack surface
• Traefik — Dynamic config, popular in Docker homelabs
• HAProxy — Battle-tested, different codebase, excellent performance

Migration doesn’t have to be permanent. Run Caddy or Traefik as a temporary front-end while NGINX waits for the patch.

Patch Readiness Plan

When F5 releases the fix, you need to act fast:

1. Subscribe to the F5 security advisory feed
2. Monitor the NebSec disclosure timeline — full details drop 30 days post-patch
3. Pin to the patched version immediately — use nginx:1.31.1 or similar
4. Test on a non-production container first

1
2
3
4
5

# Automated update for Docker Compose setups:
docker compose pull nginx
docker compose up -d nginx
docker exec nginx nginx -v
# Expected: nginx version: nginx/1.31.1 (or whatever patch version)

Summary

The nginx-poolslip zero-day is serious but manageable for homelabs. Downgrading to a safe version or pinning your Docker image is the single most effective action you can take today. Add firewall restrictions and subscribe to the advisory feed so you know the moment a patch drops.

Check your NGINX version now, pin to a safe release, and stay alert for the F5 patch. Your homelab will be fine.