Nginx 1.31.2
Nginx 1.31.2 — What's Actually in the Box
Let's not get carried away. Nginx 1.31.2 is a mainline release — not a stable LTS, not a feature bonanza. It's a security patch with a handful of minor improvements. If you're running the previous mainline (1.31.1 or earlier), you should upgrade. If you're on the stable branch (1.30.x), you can wait for the next stable release.
Security Fixes Worth Your Attention
Three CVEs were patched in this release, and they're not all theoretical:
- CVE-2026-42530 — Use-after-free vulnerability in ngx_http_v3_module (HTTP/3). Critical for anyone using HTTP/3. Under specific conditions, an attacker could trigger memory corruption.
- CVE-2026-42055 — Buffer overflow in ngx_http_proxy_v2_module and ngx_http_grpc_module. Affects proxy and gRPC users. The proxy_v2 module sees heavy production use — this one is real.
- CVE-2026-48142 — Buffer overread in ngx_http_charset_module. Lower severity but still worth patching if charset conversion is part of your pipeline.
The "New Features" (Use Air Quotes)
There are a few quality-of-life changes, but don't expect fireworks:
- SipHash for $request_id generation — A performance optimization that speeds up unique request ID generation. Marginal gain unless you're generating millions of IDs per second.
- $ssl_sigalgs variable — Exposes the signature algorithm used in the TLS handshake. Useful for debugging cipher mismatches, but adds yet another variable to an already crowded namespace.
- Split clients range boundary improvement — Better calculation of range boundaries in the split_clients module. A fix nobody asked for but that makes the math correct.
- Constant-time comparison in secure_link — A side-channel hardening measure. Good practice, but unless you're using secure_link in a security-critical path, this won't change your day.
The Migration Reality Check
Upgrading from 1.30.2 (the stable branch) to 1.31.x is a significant jump — mainline releases come with more churn and less testing than stable. If you're on 1.30.x, wait for 1.32.0 stable unless you need the HTTP/3 fixes today. If you're already on 1.31.1, this is a straightforward patch-level upgrade with no configuration changes required.
As always, test your config before deploying: nginx -t is your friend. The OpenSSL version for Windows builds was also bumped — if you're cross-compiling for Windows, check your toolchain.
The bottom line: Upgrade if you use HTTP/3, gRPC, or proxy_v2. Otherwise, wait for stable. Nginx 1.31.2 is solid, but mainline is mainline.