nginx 1.31.0 Mainline with HTTP/3 support added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.0 with QUIC support.
Major changes:
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an attacker
to cause a disclosure of worker process memory or segmentation fault
in a worker process (CVE-2026-42946).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially sent response with decoding from
UTF-8 via the "charset_map" directive, allowing an attacker to cause
a limited disclosure of worker proccess memory or segmentation fault
in a worker process (CVE-2026-42934).
Thanks to David Carlier.
*) Security: when using HTTP/3, processing of connection migration might
cause new QUIC streams to receive a new client address before
validation, allowing an attacker to cause address spoofing
(CVE-2026-40460).
Thanks to Rodrigo Laneth.
*) Security: use-after-free might occur during DNS server response
processing if the "ssl_ocsp" directive was used, allowing an attacker
to cause worker process memory corruption or segmentation fault in a
worker process (CVE-2026-40701).
Thanks to Leo Lin.
*) Change: now nginx rejects HTTP/2 and HTTP/3 requests with the
"Connection", "Proxy-Connection", "Keep-Alive", "Transfer-Encoding",
"Upgrade" header lines, and "TE" with any value other than
"trailers".
*) Change: the ngx_http_dav_module now rejects a COPY or MOVE requests
when the source and destination resources are the same or have a
parent-child collection relationship.
*) Change: the logging level of the "invalid alert" and "record layer
failure" SSL errors, and of the "SSL alert number N" for any alert
numbers has been lowered from "crit" to "info".
*) Change: now the "sticky" module can be disabled with the
--without-http_upstream_sticky_module configure option; the
--without-http_upstream_sticky configure option is deprecated.
*) Feature: the ngx_http_tunnel_module; support for authenticating to
proxies in the "auth_basic", "satisfy", and "auth_delay" directives.
*) Feature: the "least_time" directive inside the "upstream" block.
*) Feature: the "proxy_ssl_alpn" directive in the stream module.
*) Bugfix: connections with HTTP/2 backends might not be cached when
using the "proxy_set_body" or "proxy_pass_request_body" directives.
*) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
transferred incorrectly if the first line was not fully read.