Nginx 1.31.3
Nginx 1.31.3 ships with three critical security fixes — this is a must-install update for anyone running Nginx in production. The release patches a heap buffer overflow, uninitialized memory access, and a use-after-free vulnerability, alongside important configuration changes for HTTP/2 proxying.
Security Fixes
Three CVEs are addressed in this release, all of which could lead to worker process compromise or memory disclosure under specific conditions:
- CVE-2026-42533: Heap buffer overflow in worker processes when using the
mapdirective with regex matching, if the map variable was included in a string expression after a capture affected by this map. Credit to Mufeed VH of Winfunc Research and Maxim Dounin. - CVE-2026-60005: Uninitialized memory access when using unnamed regex captures with the
slicedirective or background cache update. Could result in worker process memory disclosure or termination. - CVE-2026-56434: Use-after-free when processing a specially crafted proxied backend response with the
ngx_http_ssi_filter_module. Credit to P4P3R-HAK.
Configuration Changes
Two configuration changes tighten the default security posture:
- HTTP/2 proxy buffers: The size of headers and trailers in HTTP/2 responses in the
ngx_http_proxy_v2_moduleandngx_http_grpc_moduleis now limited by theproxy_buffer_sizeandgrpc_buffer_sizedirectives respectively. Previously these were unbounded. - XSLT external entities: Loading of external entities is now disabled by default in the
ngx_http_xslt_filter_module. The newxml_external_entitiesdirective allows re-enabling this for backward compatibility if needed.
Upgrade Now
Given the security nature of this release, upgrading should be a high priority for all production deployments. The configuration changes are backward-compatible — existing configs will continue to work, though you may want to review any proxy_buffer_size and grpc_buffer_size settings if you use HTTP/2 proxying.
Download Nginx 1.31.3 from the official download page or use your system package manager. Check the full changelog for details.