~ /blog / nginx-1-31-3

nginx 1.31.3

·#nginx·#Release·#Security

Upstream released nginx 1.31.3 on July 15, 2026, and the n.wtf packages are now published for all supported Debian and Ubuntu releases. This is a security release. If you run 1.31.2 or older from this repository, upgrade now.

#Security fixes

Three vulnerabilities are fixed, all in the worker process:

  • CVE-2026-42533: a heap buffer overflow when a map directive with regex matching feeds a string expression, and a similar case with non-cacheable variables. This is the one to take seriously; map with regex is everywhere.
  • CVE-2026-60005: uninitialized memory access with unnamed regex captures combined with the slice directive or background cache updates. Upstream says it can disclose worker memory or crash the worker.
  • CVE-2026-56434: a use-after-free in the SSI filter when processing a crafted proxied backend response.

If your config uses map with regex captures, slice, proxy caching, or SSI, treat the upgrade as urgent. Everyone else should not wait either; the full details are public in the upstream release notes.

#Also in this release

Beyond the security fixes, 1.31.3 rejects HTTP/2 requests with out-of-order pseudo-headers, disables external entity loading in the XSLT filter by default (with a new xml_external_entities directive to turn it back on), and adds *_socket_sndbuf / *_socket_rcvbuf directives for tuning upstream socket buffers across the proxy, FastCGI, gRPC, SCGI, and uWSGI modules.

#Changes

  • Upgrade nginx to 1.31.3
  • Upgrade nginx-acme to 0.4.1

#How to upgrade

bash
sudo apt update
sudo apt full-upgrade

nginx -v
# nginx version: nginx-n.wtf/1.31.3

full-upgrade lets apt add or remove dependencies when the package set changes between releases; plain apt upgrade can hold nginx back in that case.

Not on the repository yet? The install page has extrepo, one-line, DEB822, and Docker instructions.

Share