Nginx 1.30.2

NGINX, the worlds most widely used web server and reverse proxy, has released version 1.30.2 on May 22, 2026. The update is a security release that addresses a heap buffer overflow vulnerability in the ngx_http_rewrite_module, designated CVE-2026-9256.

What Changed

The vulnerability, nicknamed "nginx-poolslip" by security researchers, affects configurations using overlapping captures in rewrite rules. A remote attacker could craft a request that triggers a heap buffer overflow in the NGINX worker process, potentially leading to a denial-of-service condition or, in more severe cases, arbitrary code execution.

The CVSS severity rating for CVE-2026-9256 is medium, but the exploit surface is broad — any NGINX deployment with complex rewrite rules using capture groups is potentially at risk.

Why It Matters

NGINX powers over 30% of all websites globally, making security vulnerabilities in the server a systemic risk across the internet. While this particular vulnerability requires specific configuration conditions to exploit, the potential for denial-of-service attacks makes patching a priority for production deployments.

The fix is included in both the 1.30.2 stable branch and the 1.31.1 mainline branch, ensuring that users on either track receive the security patch.

Whats Next

NGINXs new release model, announced May 13, 2026, introduces Long-Term Support (LTS) releases alongside Continuous Releases (CR). Users running mission-critical deployments should evaluate the LTS track for longer stability windows. The 1.30.x stable branch continues to receive security backports and critical bug fixes.

Administrators are strongly advised to update immediately. The standard apt-get upgrade nginx or equivalent package manager command will apply the patch for most distributions.