Skip to main content

Nginx 1.31.2

Release Date: June 17, 2026

Nginx 1.31.2 — What's Actually in the Box

Let's not get carried away. Nginx 1.31.2 is a mainline release — not a stable LTS, not a feature bonanza. It's a security patch with a handful of minor improvements. If you're running the previous mainline (1.31.1 or earlier), you should upgrade. If you're on the stable branch (1.30.x), you can wait for the next stable release.

Security Fixes Worth Your Attention

Three CVEs were patched in this release, and they're not all theoretical:

  • CVE-2026-42530 — Use-after-free vulnerability in ngx_http_v3_module (HTTP/3). Critical for anyone using HTTP/3. Under specific conditions, an attacker could trigger memory corruption.
  • CVE-2026-42055 — Buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module. Affects proxy and gRPC users. The proxy_v2 module sees heavy production use — this one is real.
  • CVE-2026-48142 — Buffer overread in ngx_http_charset_module. Lower severity but still worth patching if charset conversion is part of your pipeline.

The "New Features" (Use Air Quotes)

There are a few quality-of-life changes, but don't expect fireworks:

  • SipHash for $request_id generation — A performance optimization that speeds up unique request ID generation. Marginal gain unless you're generating millions of IDs per second.
  • $ssl_sigalgs variable — Exposes the signature algorithm used in the TLS handshake. Useful for debugging cipher mismatches, but adds yet another variable to an already crowded namespace.
  • Split clients range boundary improvement — Better calculation of range boundaries in the split_clients module. A fix nobody asked for but that makes the math correct.
  • Constant-time comparison in secure_link — A side-channel hardening measure. Good practice, but unless you're using secure_link in a security-critical path, this won't change your day.

The Migration Reality Check

Upgrading from 1.30.2 (the stable branch) to 1.31.x is a significant jump — mainline releases come with more churn and less testing than stable. If you're on 1.30.x, wait for 1.32.0 stable unless you need the HTTP/3 fixes today. If you're already on 1.31.1, this is a straightforward patch-level upgrade with no configuration changes required.

As always, test your config before deploying: nginx -t is your friend. The OpenSSL version for Windows builds was also bumped — if you're cross-compiling for Windows, check your toolchain.

The bottom line: Upgrade if you use HTTP/3, gRPC, or proxy_v2. Otherwise, wait for stable. Nginx 1.31.2 is solid, but mainline is mainline.

What is New?

By continuing to use the site, you agree to the use of cookies.