Software 44566 Published by

Nginx 1.31.3 has landed in the mainline branch with three critical security patches targeting buffer overflows and memory leaks in the map, slice, and SSI modules. The update introduces ten new TCP socket buffer directives for granular backend tuning and caps HTTP/2 trailer sizes to prevent unbounded memory allocation. This release also disables external XML entity loading by default and patches several HTTP/3 and QUIC protocol vulnerabilities tracked across the 1.31.x cycle. Developers running the mainline branch should upgrade immediately, while those prioritizing long-term stability can wait for the upcoming 1.32.x stable release.



Nginx 1.31.3 Lands with Heavy Security Patches and New Socket Tuning Directives

Nginx just pushed version 1.31.3 to GitHub, wrapping up a mainline development cycle that has been anything but quiet. The release drops ten new TCP socket buffer directives, tightens up HTTP/2 trailer handling, and patches two critical buffer overflows that could chew through worker process memory.

Keep in mind that odd minor versions like 1.31.x live in Nginx’s mainline branch. That means you are looking at bleeding-edge features and security fixes before they eventually get merged into the even-numbered stable releases. This series kicked off back in May 2026, and 1.31.3 officially lands on July 15. If you have been riding the mainline wave, there is plenty to digest.

Nginx

The Security Patch List

The patch list reads like a defensive perimeter exercise. Sixteen CVEs have been tracked across the 1.31.x releases, but 1.31.3 alone tackles three. CVE-2026-42533 fixes a heap buffer overflow in the map directive when regex captures collide with string expressions. That is a nasty one. There is also CVE-2026-60005, which shuts down an uninitialized memory access leak tied to the slice directive and background cache updates. A third flaw, CVE-2026-56434, addresses a use-after-free bug in the SSI filter module. All three demand an immediate upgrade.

Nginx says the XSLT change was a direct response to industry-wide pushback on XML parsing. External entity loading is now disabled by default. You will need the new xml_external_entities directive if you actually want to pull them in. The team also capped HTTP/2 response header and trailer sizes to existing proxy_buffer_size settings. That stops unbounded memory allocation cold.

New Directives and Protocol Tweaks

Beyond the security patches, 1.31.3 brings practical tuning knobs. Ten new directives let you set send and receive buffer sizes for backend connections across proxy, FastCGI, gRPC, SCGI, uWSGI, and tunnel modules. Next, the protocol hardening in earlier 1.31 releases starts to show its teeth. The rewrite module caught fixes for overlapping capture overflows. HTTP/3 and QUIC got patched for connection migration spoofing and use-after-free bugs. You will also spot the new ngx_http_tunnel_module for bidirectional proxying. A least_time upstream load balancing option rounds out the feature set.

The shift toward fine-grained performance tuning makes sense. Backend architectures have only grown more complex since the last stable branch rolled out. It is a rather dense release for a development line, though the socket buffer controls and protocol hardening do offer real value. For teams prioritizing raw stability, you might want to wait for the 1.32.x stable release. Those patches will carry the tested portions of this mainline cycle.

Release release-1.31.3

release-1.31.3 tag

Release release-1.31.3 · nginx/nginx

If you need to audit TLS handshakes, keep your eyes on the $ssl_sigalgs variable. Patch your existing 1.31.x deployments now, especially if you are running rewrite rules or SSI pipelines. The full changelog and CVE details are documented in the mainline changes repository.