Security Nginx 1.31.0 Security Update - 6 CVEs Fixed

Nginx 1.31.0 (mainline) and 1.30.1 (stable) have been released with fixes for 6 security vulnerabilities. All three Centmin Mod branches (132.00stable, 140.00beta01, 141.00beta01) have been updated to Nginx 1.31.0 as the new default.

CVEs addressed:

• CVE-2026-42945 - Heap buffer overflow in ngx_http_rewrite_module (potential code execution)
• CVE-2026-42926 - HTTP/2 request injection via proxy_set_body
• CVE-2026-42946 - Heap buffer overread in SCGI/uWSGI modules
• CVE-2026-42934 - Heap buffer overread in UTF-8 charset decoding
• CVE-2026-40460 - QUIC address spoofing via connection migration
• CVE-2026-40701 - Use-after-free in DNS OCSP processing

To update for existing Centmin Mod users on the three Centmin Mod branches (132.00stable, 140.00beta01, 141.00beta01), run cmupdate and then centmin.sh menu option 4 to recompile Nginx

Code (Text):

--------------------------------------------------------
     Centmin Mod Menu 140.00beta01 centminmod.com  
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  MySQL User Database Management
7).  Persistent Config File Management
8).  Option Being Revised (TBA)
9).  Option Being Revised (TBA)
10). Memcached Server Re-install
11). MariaDB MySQL Upgrade & Management
12). Zend OpCache Install/Re-install
13). Install/Reinstall Redis PHP Extension
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Install/Re-Install
21). Data Transfer
22). Add Wordpress Nginx vhost + Cache Plugin
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 4
--------------------------------------------------------

Code (Text):

Nginx Upgrade - Would you like to continue? [y/n] y

Current Nginx Version: 1.29.8 (060526-111348-almalinux8-68e9481-br-a71f931)

Install which version of Nginx? (version i.e. type 1.31.0): 1.31.0

Who is affected?

Every Centmin Mod user running nginx older than 1.31.0. This isn't limited to specific configurations - the most critical vulnerability affects a core part of nginx that every server uses (the rewrite module, which handles URL redirects and rewrites in your nginx configs).

Am I safe if I use Cloudflare?

Not fully. Cloudflare helps block some types of attacks, but it cannot reliably stop the most critical vulnerability in this release. Three of the six vulnerabilities involve how nginx talks to your backend or DNS servers, which Cloudflare has no visibility into at all. You still need to update.

What should I do?

Update your nginx to 1.31.0 as soon as possible. In Centmin Mod, you can do this via centmin.sh menu option 4, and enter version 1.31.0 when prompted.

What was fixed?

• A vulnerability that could let attackers run code on your server through normal web requests (the most critical one)
• A vulnerability that could let attackers inject data into requests sent to backend servers
• Two vulnerabilities that could leak server memory contents or crash your server
• A vulnerability allowing address spoofing on HTTP/3 connections
• A vulnerability that could corrupt memory when nginx checks SSL certificate revocation status

Will anything break after updating?

---

One change to be aware of: nginx now strictly rejects certain HTTP headers (Connection, Keep-Alive, Transfer-Encoding, Upgrade) on HTTP/2 and HTTP/3 requests. These headers were technically invalid in HTTP/2 anyway, but nginx used to silently accept them. If you have older applications or API clients that send these headers over HTTP/2, they may start getting errors after the update. Check your nginx error logs after upgrading.