Nginx 1.31.2 Security Update - 3 CVEs Fixed
Nginx 1.31.2 (mainline) and 1.30.3 (stable) have been released with fixes for 3 security vulnerabilities. All three Centmin Mod branches (132.00stable, 140.00beta01, 141.00beta01) have been updated to Nginx 1.31.2 as the new default for fresh installs.
CVEs addressed:
- CVE-2026-42055 - Heap buffer overflow in ngx_http_proxy_v2_module / ngx_http_grpc_module when proxying to an HTTP/2 or gRPC backend (requires
ignore_invalid_headers offplus largelarge_client_header_buffers; default FastCGI setups are unaffected) - CVE-2026-48142 - Heap buffer overread in ngx_http_charset_module during UTF-8 decoding (requires a configured
charset_map, which is not part of default configs) - CVE-2026-42530 - Use-after-free in ngx_http_v3_module HTTP/3 QUIC processing (mainline only; HTTP/3 is disabled by default in Centmin Mod, so most installs are not affected)
The mainline 1.31.2 release fixes all 3 CVEs. The stable 1.30.3 release fixes 2 of them (CVE-2026-42055 and CVE-2026-48142); the HTTP/3 use-after-free (CVE-2026-42530) does not apply to the 1.30.x stable branch.
To update, run cmupdate and then centmin.sh menu option 4 to recompile Nginx. Or instead of cmupdate, update your local code first via centmin.sh menu option 23 submenu option 2 and then centmin.sh menu option 4 to recompile Nginx. See the Nginx Upgrade / Downgrade guide for details.