Impact
CVE-2026-42945 is a heap-based buffer overflow in the NGINX rewrite module affecting NGINX Open Source and NGINX Plus release ranges listed by F5 and NVD [S1][S2]. In a deployed vulnerable runtime with the affected rewrite configuration loaded, traffic reaching the configured routes can crash worker processes and may allow code execution [S1][S2].
Root cause
The advisory ties the issue to rewrite-module configuration that combines positional PCRE capture handling with later rewrite-module directives [S1][S2]. Actual runtime risk depends on the NGINX release, vendor patch level, loaded include graph, deployed configuration, and whether affected routes are reachable.
Covered by FixVibe
FixVibe GitHub repo scans now look for affected NGINX version evidence together with NGINX rewrite configuration evidence. Findings are reported as source/config advisory evidence with medium confidence. FixVibe does not run NGINX, evaluate a full live include graph, send requests to configured routes, crash-test worker processes, or claim memory-corruption proof.
Fix
Upgrade to NGINX Open Source 1.30.1 or newer, or the fixed NGINX Plus patch release for your branch [S1][S2]. Rebuild and redeploy every image, host package, ingress image, or NGINX Plus runtime that can serve the affected configuration. Review rewrite-module configuration to prefer named captures or simpler routing, validate with nginx -t, reload NGINX, run normal route smoke tests, and rerun the FixVibe GitHub repo scan.