The nginx 1.31.1 mainline release patches a nasty buffer overflow in the rewrite module that routinely crashes worker processes when overlapping regex captures slip through. HTTP/2 now strictly caps response header sizes, while MP4 metadata parsing and mail proxy error paths get the quiet stability tweaks they actually need. Admins should push this update immediately, but running a config test first stops the new escape flag validation from breaking legacy routing rules. A simple binary swap and graceful reload handles the deployment, provided the team watches the worker logs for any allocation hiccups.

nginx 1.31.1 Mainline Update Fixes Critical Rewrite Buffer Overflow and Tightens HTTP Headers

The nginx 1.31.1 mainline release just dropped with a patch for a buffer overflow vulnerability in the rewrite module that could expose servers to unexpected crashes or code execution. This update also rounds out several stability improvements for MP4 streaming, HTTP/2 header handling, and mail proxy error paths. Anyone running a public facing web server should prioritize this upgrade before the rewrite module gets probed by automated scanners.

The rewrite module patch needs attention first

The buffer overflow in the rewrite engine, tracked as CVE-2026-9256, sits right where most operators get sloppy with URL routing. When overlapping capture groups trigger a memory miscalculation, the rewrite handler writes past its allocated buffer and crashes the worker process. Operators who rely on complex regex chains for authentication or legacy URL mapping will see immediate stability gains after applying this patch. The hardening of escape flags control in the same module adds another layer of defense against malformed request headers that used to slip through validation checks. Skipping this update leaves a predictable attack surface wide open for anyone running a public facing site, and the patch is small enough that it should be deployed without hesitation.

HTTP and media handling gets a quiet tuneup

The HTTP/2 module now enforces a strict length limit on Content-Type and Location response headers, which stops oversized headers from breaking downstream proxies or triggering client-side parsing errors. MP4 streaming receives a null pointer check that prevents segmentation faults when metadata parsing hits edge cases in malformed files. Mail proxy error paths also get cleanup work that stops the server from hanging when authentication backends drop connections unexpectedly. These changes do not make headlines, but they remove the kind of silent failures that keep sysadmins awake during peak traffic windows. The workflow file update mentioned in the release notes is completely pointless for anyone running a production server, since it only touches automated build pipelines and has zero impact on live traffic.

How to deploy nginx 1.31.1 without breaking existing configs

Upgrading to this mainline version follows the standard rollout path, but operators should verify rewrite rules before restarting the service. A quick configuration test with the standard binary flag catches syntax errors and confirms that the new escape flag validation does not reject previously accepted headers. The binary replacement and graceful reload procedure remains unchanged, so existing deployment scripts work without modification. Running the update during a low traffic window keeps the rollback path clean if a custom module refuses to compile against the new header limits. Checking the worker logs immediately after the reload confirms that the rewrite engine settles into normal operation without throwing allocation warnings.

Release release-1.31.1

nginx-1.31.1 mainline version has been released, with a fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256). See official CHANGES on nginx.org.

Release release-1.31.1 · nginx/nginx

Grab the binaries or compile from source when ready, and keep an eye on the access logs to catch any rewrite rule adjustments before the next traffic spike hits.