Nginx 1.31.3 Lands with Heavy Security Patches and New Socket Tuning Directives
Nginx just pushed version 1.31.3 to GitHub, wrapping up a mainline development cycle that has been anything but quiet. The release drops ten new TCP socket buffer directives, tightens up HTTP/2 trailer handling, and patches two critical buffer overflows that could chew through worker process memory.
Keep in mind that odd minor versions like 1.31.x live in Nginx’s mainline branch. That means you are looking at bleeding-edge features and security fixes before they eventually get merged into the even-numbered stable releases. This series kicked off back in May 2026, and 1.31.3 officially lands on July 15. If you have been riding the mainline wave, there is plenty to digest.
The Security Patch List
The patch list reads like a defensive perimeter exercise. Sixteen CVEs have been tracked across the 1.31.x releases, but 1.31.3 alone tackles three. CVE-2026-42533 fixes a heap buffer overflow in the map directive when regex captures collide with string expressions. That is a nasty one. There is also CVE-2026-60005, which shuts down an uninitialized memory access leak tied to the slice directive and background cache updates. A third flaw, CVE-2026-56434, addresses a use-after-free bug in the SSI filter module. All three demand an immediate upgrade.
Nginx says the XSLT change was a direct response to industry-wide pushback on XML parsing. External entity loading is now disabled by default. You will need the new xml_external_entities directive if you actually want to pull them in. The team also capped HTTP/2 response header and trailer sizes to existing proxy_buffer_size settings. That stops unbounded memory allocation cold.
New Directives and Protocol Tweaks
Beyond the security patches, 1.31.3 brings practical tuning knobs. Ten new directives let you set send and receive buffer sizes for backend connections across proxy, FastCGI, gRPC, SCGI, uWSGI, and tunnel modules. Next, the protocol hardening in earlier 1.31 releases starts to show its teeth. The rewrite module caught fixes for overlapping capture overflows. HTTP/3 and QUIC got patched for connection migration spoofing and use-after-free bugs. You will also spot the new ngx_http_tunnel_module for bidirectional proxying. A least_time upstream load balancing option rounds out the feature set.
The shift toward fine-grained performance tuning makes sense. Backend architectures have only grown more complex since the last stable branch rolled out. It is a rather dense release for a development line, though the socket buffer controls and protocol hardening do offer real value. For teams prioritizing raw stability, you might want to wait for the 1.32.x stable release. Those patches will carry the tested portions of this mainline cycle.
Release release-1.31.3
release-1.31.3 tag
If you need to audit TLS handshakes, keep your eyes on the $ssl_sigalgs variable. Patch your existing 1.31.x deployments now, especially if you are running rewrite rules or SSI pipelines. The full changelog and CVE details are documented in the mainline changes repository.

