CVE-2026-9256 (known as "nginx-poolslip") is a high-severity heap-based buffer overflow vulnerability in NGINX’s ngx_http_rewrite_module. This module handles URL rewrites, redirects, and conditional if logic. Exploitation by a remote attacker via malformed HTTP requests can lead to worker process crashes (Denial of Service) or potential Arbitrary Code Execution (RCE).

For EAR, the following buildpacks include nginx:

• staticfile-offline-buildpack
• php-offline-buildpack
• nginx-offline-buildpack

The vulnerable versions of Nginx are 0.1.17-1.31.0 and are fixed in 1.31.1+ and 1.30.2+.

Relationship with CVE-2026-42945

CVE-2026-9256 is the direct result of an incomplete patch cycle:

• The Legacy Flaw: NGINX originally released a patch for CVE-2026-42945 ("NGINX Rift").

• The Gaps: Security auditing of that initial fix revealed a secondary, variant vulnerability in the exact same code path.

• The Supercedence: CVE-2026-9256 strictly supersedes CVE-2026-42945. Applying the fix for CVE-2026-9256 completely resolves both vulnerabilities simultaneously.

This vulnerability has been resolved in the following releases regarding the Staticfile buildpack and Nginx buildpack. Our documentation is currently being updated and will be published shortly:

• Staticfile Buildpack: v1.6.83

• NGINX Buildpack: v1.2.82

For further updates regarding this change, please refer to the official buildpack release notes here:

• Tanzu Commercial Buildpacks Release Notes

For more details about CVE-2026-42945, please refer to CVE-2026-42945 nginx rewrite rule on Tanzu Buildpacks