The Nginx 1.31.2 mainline update patches three critical memory corruption flaws that could crash public-facing proxies or leak data through malformed HTTP/3 and gRPC traffic. Administrators should prioritize this release because the fixes close real attack vectors while quietly improving request tracing and TLS negotiation visibility. The release also corrects access log formatting errors and updates the Windows OpenSSL dependency to keep builds stable. Rolling out the patch now prevents silent degradation and keeps upstream routing reliable under heavy load.

Nginx 1.31.2 Released with Critical Security Fixes and Faster Request IDs

The nginx 1.31.2 mainline release dropped this week, and it brings three security patches that actually matter for anyone running public-facing proxies or gRPC services. The core updates tighten up HTTP/3, proxy, and charset handling, while the rest of the changelog quietly improves performance and logging accuracy. Getting this update installed matters more for server stability than chasing the latest feature branch.

Critical CVE patches in nginx 1.31.2 demand immediate attention

The use-after-free flaw in the HTTP/3 module could let a malformed QUIC stream corrupt memory. A buffer overflow in the proxy v2 and gRPC modules opens the door to stack corruption when handling large upstream responses. The charset module overread leaks uninitialized data when parsing certain multi-byte encodings. Servers quietly segfault after a bad driver update or a rushed config change, and memory corruption bugs like these tend to follow the same pattern of silent degradation before they actually blow up. Rolling out this patch stops the bleeding before attackers or misconfigured clients trigger the flaw.

SipHash, SSL variables, and constant-time comparisons

The $request_id generation now uses SipHash instead of the older random number generator. That change cuts down on hash collisions during high concurrency and makes tracing requests across reverse proxy chains noticeably cleaner. The new $ssl_sigalgs variable gives operators a direct look at the signature algorithms negotiated during TLS handshakes, which helps when troubleshooting certificate chain mismatches on older clients. Secure link module comparisons now run in constant time, which prevents timing side-channel attacks from revealing valid signature lengths. These are the kind of quiet improvements that keep production logs readable and keep attackers guessing.

Logging accuracy, Xslt fixes, and Windows OpenSSL updates

The access log request_length format length got corrected, which stops malformed log lines from breaking log rotation scripts that expect fixed-width fields. The Xslt module finally handles the vsprintf return value properly, preventing buffer truncation warnings when processing large style sheets. Windows builds now ship with a freshly compiled OpenSSL library, which removes the need for manual DLL swaps and keeps win32 deployments from falling behind on cipher support. The client IP range calculation also got a tighter algorithm, so split client routing behaves correctly when dealing with overlapping CIDR blocks.

Release Nginx 1.31.2

nginx-1.31.2 mainline version has been released, with fixes for use-after-free vulnerability in the ngx_http_v3_module (CVE-2026-42530), buffer overflow vulnerability in the ngx_http_proxy_v2_modul...

Release release-1.31.2 · nginx/nginx

Running the standard compile cycle matters because it rebuilds the worker processes against the patched memory handling routines, ensuring the old vulnerable binaries do not linger in memory during the swap. Grab the source tarball, patch the configuration files, and keep an eye on the upstream mailing list for any follow-up notes. The build process stays straightforward, and the security gains alone make the downtime worth the few minutes it takes to swap configs. Keep the reverse proxies updated, and the traffic will keep moving without the usual headaches.