Skip to main content

Nginx 1.31.3

Release Date: July 15, 2026

Nginx 1.31.3 ships with three critical security fixes — this is a must-install update for anyone running Nginx in production. The release patches a heap buffer overflow, uninitialized memory access, and a use-after-free vulnerability, alongside important configuration changes for HTTP/2 proxying.

Security Fixes

Three CVEs are addressed in this release, all of which could lead to worker process compromise or memory disclosure under specific conditions:

  • CVE-2026-42533: Heap buffer overflow in worker processes when using the map directive with regex matching, if the map variable was included in a string expression after a capture affected by this map. Credit to Mufeed VH of Winfunc Research and Maxim Dounin.
  • CVE-2026-60005: Uninitialized memory access when using unnamed regex captures with the slice directive or background cache update. Could result in worker process memory disclosure or termination.
  • CVE-2026-56434: Use-after-free when processing a specially crafted proxied backend response with the ngx_http_ssi_filter_module. Credit to P4P3R-HAK.

Configuration Changes

Two configuration changes tighten the default security posture:

  • HTTP/2 proxy buffers: The size of headers and trailers in HTTP/2 responses in the ngx_http_proxy_v2_module and ngx_http_grpc_module is now limited by the proxy_buffer_size and grpc_buffer_size directives respectively. Previously these were unbounded.
  • XSLT external entities: Loading of external entities is now disabled by default in the ngx_http_xslt_filter_module. The new xml_external_entities directive allows re-enabling this for backward compatibility if needed.

Upgrade Now

Given the security nature of this release, upgrading should be a high priority for all production deployments. The configuration changes are backward-compatible — existing configs will continue to work, though you may want to review any proxy_buffer_size and grpc_buffer_size settings if you use HTTP/2 proxying.

Download Nginx 1.31.3 from the official download page or use your system package manager. Check the full changelog for details.

What is New?

By continuing to use the site, you agree to the use of cookies.