CVE-2026-42945 (the NGINX Rift heap buffer overflow vulnerability)

Hi SafeLine Team,
We are tracking CVE-2026-42945 (the NGINX Rift heap buffer overflow vulnerability). Since SafeLine relies on safeline-tengine which uses the affected rewrite module components, we would like to know the release schedule for the official patch.Could you please let us know which upcoming SafeLine version will include the fix?Is there an ETA for this release?We want to update our systems as soon as possible to mitigate any potential RCE/DoS risks.
Thank you!

Hi <@1343017155825893396>
The version of NGINX used by our WAF (1.24) falls within the affected range. But the default NGINX configuration of SafeLine WAF, as well as the generated site configurations, do not meet the conditions required to exploit this vulnerability.

The impact would only occur if you added custom NGINX configurations that satisfy the exploitation conditions of this vulnerability.

So our short-term recommendation is:

Review your custom NGINX configuration and avoid using numeric captures such as $1/$2 in rewrite rules when concatenating query parameters (?).

It is recommended to switch to named captures or use the return directive instead.

In addition, please ensure that the host system has kernel.randomize_va_space=2 enabled.