nginx

nginx-1.31.0 mainline version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701). Additionally, the release features support for HTTP forward proxy and least_time load-balancing method.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• GH: add a workflow to check for the 'version bump' commit by @ac000 in https://github.com/nginx/nginx/pull/1240
• Connection specific headers by @arut in https://github.com/nginx/nginx/pull/1257
• Updated OpenSSL used for win32 builds. by @pluknet in https://github.com/nginx/nginx/pull/1269
• SSL: logging level fixes. by @bavshin-f5 in https://github.com/nginx/nginx/pull/1258
• Changes in ngx_quic_cbs_recv_rcd() by @pluknet in https://github.com/nginx/nginx/pull/1279
• SSL: log SSL_R_RECORD_LAYER_FAILURE at info level by @Smeet23 in https://github.com/nginx/nginx/pull/1267
• Restrict duplicate TE headers in HTTP/2 and HTTP/3. by @arut in https://github.com/nginx/nginx/pull/1275
• HTTP/3: optimize encoder stream memory usage by @arut in https://github.com/nginx/nginx/pull/1274
• Stream: support ALPN for proxy_ssl upstream. by @VadimZhestikov in https://github.com/nginx/nginx/pull/1109
• Prevent Undefined Behaviour in memcpy(3) via ngx_init_cycle() by @ac000 in https://github.com/nginx/nginx/pull/1082
• GH: Add various bits of GitHub automation by @ac000 in https://github.com/nginx/nginx/pull/1172
• Configure: added synonym for the upstream sticky module option by @hyuan-netizen in https://github.com/nginx/nginx/pull/1292
• Stream: evaluate proxy_ssl_alpn once by @pluknet in https://github.com/nginx/nginx/pull/1304
• Request body: fixed empty body buffering special case. by @pluknet in https://github.com/nginx/nginx/pull/977
• Configure: fix gcc version detection in some corner cases by @ac000 in https://github.com/nginx/nginx/pull/1305
• Upstream: least_time load balancing for HTTP and stream. by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1306
• Dav: improved path validation for COPY and MOVE operations by @saikrishnakumarreddy in https://github.com/nginx/nginx/pull/1307
• Proxy: fix keepalive for HTTP/2 when no body is specified by @arut in https://github.com/nginx/nginx/pull/1314
• GH: update the stale PR/issue workflow by @ac000 in https://github.com/nginx/nginx/pull/1315
• HTTP CONNECT proxy. by @arut in https://github.com/nginx/nginx/pull/707
• Reject HTTP CONNECT method with no port after colon by @pluknet in https://github.com/nginx/nginx/pull/1335
• GH: set new issues creation date by @ac000 in https://github.com/nginx/nginx/pull/1272
• nginx-1.31.0-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1350

New Contributors

• @Smeet23 made their first contribution in https://github.com/nginx/nginx/pull/1267
• @hyuan-netizen made their first contribution in https://github.com/nginx/nginx/pull/1292
• @saikrishnakumarreddy made their first contribution in https://github.com/nginx/nginx/pull/1306

Full Changelog: https://github.com/nginx/nginx/compare/release-1.29.8...release-1.31.0