nginx 1.31.2 Mainline with fixes for buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142) added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.1 with QUIC support.
Major changes:
– Security: use-after-free might occur when using HTTP/3 and processing – Security: a heap memory buffer overflow might occur in a worker – Security: a heap memory buffer overread might occur in a worker – Change: now the $request_id variable uses SipHash-2-4. – Feature: the $ssl_sigalgs variable. – Bugfix: a variable defined by the “split_clients” directive might be – Bugfix: constant time “secure_link” hash comparison.