Latest Release of nginx (1.31.2) Addresses Critical Vulnerabilities
The main branch nginx 1.31.2 has been released, with ongoing development of new features. Concurrently, the maintained stable branch of nginx 1.30.3 has been released, addressing only crucial bug fixes and vulnerabilities. The latest updates fixed 3 vulnerabilities:
- CVE-2026-42530 – access to already freed memory (use-after-free) in the protocol implementation HTTP/3, with a critical severity level of 9.2, potentially leading to remote code execution via the QUIC protocol.
- CVE-2026-42055 – a buffer overflow in modules ngx_http_proxy_v2_module and ngx_http_grpc_module, allowing remote code execution when proxying specific requests via HTTP/2 or to gRPC backends.
- CVE-2026-48142 – reading from an area outside the allocated buffer when processing crafted requests with UTF-8 text encoding using ngx_http_charset_module.
Alongside vulnerability fixes, nginx version 1.31.2 introduced the $ssl_sigalgs variable, containing digital algorithms signatures declared by the client in the ClientHello message during TLS connection negotiation. The $request_id variable now generates its identifier using the SipHash-2-4 hashing algorithm.
/Reports, release notes, official announcements.