The main branch nginx 1.31.3 has been released, featuring the development of new features and enhancements. Alongside, the maintained stable branch of nginx 1.30.4 has been updated to address critical bugs and vulnerabilities. The latest updates have fixed 3 vulnerabilities:
- CVE-2026-42533 – A critical buffer overflow issue has been patched. This vulnerability could potentially lead to remote code execution on the server by exploiting regular expression checks in the “map” directive.
- CVE-2026-60005 – The update addresses uninitialized memory leakage in a worker process related to the ngx_http_slice_module module.
- CVE-2026-56434 – Fix for memory access after freeing in a module ngx_http_ssi_module to prevent unauthorized memory modification.
Aside from the security patches, other key changes have been implemented:
- The ngx_http_xslt_filter_module now includes a directive “xml_external_entities” to manage loading of external components in XML documents.
- New directives have been added for setting send and receive buffer sizes in various modules such as proxy, fastcgi, grpc, and scgi.
- Enhancements specific to the LoongArch64 architecture to define block size for data transfer between CPU cache and memory.
- The update also introduces size limitations for headers and trailers in HTTP/2 responses using the proxy_buffer_size and grpc_buffer_size directives.
/Reports, release notes, official announcements.