The disclosure of nginx-poolslip by NebSec on May 21, 2026, exposes a critical gap in F5’s handling of the earlier Rift patch (CVE-2026-42945). While Rift targeted a rewrite-module buffer miscalculation allowing cleanup-handler corruption in ngx_pool_t, poolslip leverages an unaddressed shared code path in dynamic variable parsing across set, map, geo, and upstream directives. This results in the same hijacked ngx_pool_cleanup_t pointer but via a route the 1.31.0 boundary checks never covered. The confirmed ASLR bypass via memory disclosure primitives elevates the threat to highly reliable remote code execution on default-configured Linux distributions. Mainstream coverage has focused narrowly on the technical PoC, missing the broader pattern: NGINX’s per-request pool allocator design, optimized for performance since its inception, creates systemic memory-adjacency risks that recur across versions. Historical parallels include the 2013 chunked-encoding flaw and the 2021 request-smuggling issues, both of which required multiple iterative fixes. With NGINX powering over 30 percent of internet-facing servers and embedded in cloud load balancers, CDNs, and government portals, a reliable zero-day here constitutes supply-chain-scale exposure. F5’s 30-day disclosure window leaves defenders without mitigations while state actors and ransomware groups monitor the timeline. Artem Russakovskii’s warning underscores that even patched deployments remain at risk, highlighting incomplete root-cause analysis in the Rift remediation. Organizations must prioritize configuration hardening, such as disabling unnecessary dynamic directives and monitoring for anomalous pool allocations, until a comprehensive patch addresses the shared logic.