The nginx-1.31.0 mainline release patches six critical vulnerabilities, including an HTTP/2 request injection flaw in the proxy module and buffer overflows that could crash worker processes or leak memory. Administrators gain two major new features: least_time load balancing for smarter traffic distribution across uneven backends, and native HTTP forward proxy support for outbound tunneling. The update also brings a refreshed OpenSSL library for Windows builds, ALPN compatibility for stream proxies, tighter WebDAV path validation, and a fix for HTTP/2 keepalive drops. Server operators should apply this upgrade promptly to close security gaps while unlocking better latency handling and routing flexibility.

nginx-1.31.0 Mainline Release Patches HTTP/2 Injection and Adds Least Time Load Balancing

nginx-1.31.0 arrives on the mainline track with a heavy load of security fixes and features that improve traffic routing for busy servers. The release addresses six vulnerabilities, including an HTTP/2 request injection flaw in the proxy module that could allow attackers to manipulate upstream requests. If you run a reverse proxy or use rewrite rules, skipping this update leaves your infrastructure exposed to buffer overflows and address spoofing attacks. Beyond the patches, admins gain least_time load balancing and forward proxy support to optimize performance and flexibility without waiting for the stable branch.

Critical Security Fixes in nginx-1.31.0

The HTTP/2 request injection vulnerability in the ngx_http_proxy_module poses a serious risk for anyone using nginx as a reverse proxy. An attacker could inject headers or alter request data, potentially bypassing access controls or poisoning upstream responses. This flaw requires immediate attention because it breaks the trust boundary between the client and the backend server. The rewrite module also gets patched for a buffer overflow that could crash the worker process or execute arbitrary code when processing complex URL rewrites. System administrators often see instability spike after applying aggressive rewrite rules, and this fix targets those edge cases where memory handling goes wrong under pressure.

Buffer overread issues in the SCGI and UWSGI modules allow attackers to read beyond allocated memory boundaries. This can leak sensitive information from the server's memory space to remote clients. The charset module receives a similar patch for buffer overreads, which matters if you serve content with character set conversions enabled. HTTP/3 users must apply this update to prevent address spoofing attacks that could trick the server into accepting connections from forged sources. This undermines logging accuracy and access control lists that rely on client IP addresses. The OCSP resolver also gets a fix for a use-after-free vulnerability, which prevents memory corruption when validating SSL certificates against revocation status.

New Features: Least Time Load Balancing and Forward Proxy Support

nginx-1.31.0 introduces least_time load balancing for both HTTP and stream protocols, giving admins a smarter way to distribute traffic across upstream servers. This method selects the peer with the lowest response time plus active connections, which often yields better latency than the traditional least_conn approach. It works best when backend servers have varying processing speeds or when network conditions fluctuate frequently. The release also adds HTTP forward proxy support, allowing nginx to handle CONNECT requests and tunnel traffic for clients that need to route through a proxy server. This feature is useful for corporate environments where internal clients require outbound filtering or monitoring via the proxy.

Other Updates Worth Noting

Windows administrators get an updated OpenSSL library in the win32 builds, which brings better crypto support and fixes known issues in older versions. The stream module now supports ALPN for proxy_ssl upstream connections, improving protocol negotiation when connecting to modern backends. Path validation for WebDAV COPY and MOVE operations has been tightened to prevent directory traversal attacks that could expose files outside the intended root. Keepalive handling for HTTP/2 proxies receives a fix for cases where no request body is specified, resolving connection drops that some users report after upgrading.

Release release-1.31.0

nginx-1.31.0 mainline version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926)

Release release-1.31.0 · nginx/nginx

Grab the latest source tarball or binary package and review your configuration for any new directives related to least_time or forward proxy settings. Restarting nginx with this version ensures your server stays secure against the reported vulnerabilities while unlocking performance improvements for latency-sensitive workloads. Admins who ignore mainline updates until the stable release drops might find themselves playing whack-a-mole with CVEs, so getting ahead of these patches saves headaches down the road.