Security Nginx 1.31.2 Security Bug Fix Release (3 CVEs)

Nginx 1.31.2 mainline and 1.30.3 stable releases are out with security bug fixes for a buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and a buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142). Additionally, nginx 1.31.2 includes a fix for a use-after-free vulnerability in the ngx_http_v3_module HTTP/3 QUIC code (CVE-2026-42530).

Centmin Mod 141.00beta01 has been updated to default to Nginx 1.31.2 for fresh installs.

• Mainline branch: nginx 1.31.2 fixes all 3 CVEs (including the HTTP/3 use-after-free).
• Stable branch: nginx 1.30.3 fixes 2 of the CVEs (CVE-2026-42055 and CVE-2026-48142). The HTTP/3 use-after-free (CVE-2026-42530) does not apply to the 1.30.x stable branch.

Existing Centmin Mod users running older releases (e.g. 124.00stable or 130.00beta01) should first update to the latest Centmin Mod 132.00stable, 140.00beta01, or 141.00beta01 release as outlined at https://community.centminmod.com/th...ase-with-almalinux-rocky-linux-support.25572/. Then run centmin.sh menu option 4 to update to Nginx 1.31.2 or 1.30.3.

For existing Centmin Mod 132.00stable, 140.00beta01, and 141.00beta01 users, just running cmupdate command will get you the latest updated code. Then run centmin.sh menu option 4 to update to Nginx 1.31.2 or 1.30.3.

Code (Text):

--------------------------------------------------------
    Centmin Mod Menu 141.00beta01 centminmod.com
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  MySQL User Database Management
7).  Persistent Config File Management
8).  PostgreSQL Server Management
9).  Option Being Revised (TBA)
10). Memcached Server Re-install
11). MariaDB MySQL Upgrade & Management
12). Zend OpCache Install/Re-install
13). Install/Reinstall Redis PHP Extension
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Install/Re-Install
21). Data Transfer
22). Add Wordpress Nginx vhost + Cache Plugin
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 4
--------------------------------------------------------

Code (Text):

Nginx Upgrade - Would you like to continue? [y/n] y
Current Nginx Version: 1.31.1

Install which version of Nginx? (version i.e. type 1.31.2): 1.31.2

Do you still want to continue? [y/n] y

• Nginx 1.31.2 https://nginx.org/en/CHANGES
• Nginx 1.30.3 https://nginx.org/en/CHANGES-1.30

Code (Text):

Changes with nginx 1.31.2                                        17 Jun 2026

   *) Security: a heap memory buffer overflow might occur in a worker
      process while proxying a specially crafted request to a HTTP/2 or
      gRPC backend, if "ignore_invalid_headers" was switched off and
      large values of "large_client_header_buffers" were configured;
      the bug had appeared in 1.31.0 (CVE-2026-42055).
      Thanks to Mufeed VH of Winfunc Research.

   *) Security: a heap memory buffer overread might occur in a worker
      process while handling a specially sent response with UTF-8
      decoding in the ngx_http_charset_module; this might result in
      limited disclosure of worker process memory or a segmentation
      fault (CVE-2026-48142).
      Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.

   *) Security: a use-after-free might occur in a worker process while
      processing HTTP/3 QUIC sessions in the ngx_http_v3_module, which
      might result in worker process memory corruption or a
      segmentation fault (CVE-2026-42530).
      Thanks to Trung Nguyen of CyStack.

   *) Change: the $request_id variable now uses SipHash-2-4 hashing.

   *) Feature: the $ssl_sigalgs variable.

   *) Bugfix: the variable set by the "split_clients" directive could be
      empty if all percentages were specified explicitly and summed up
      to 100%.

   *) Bugfix: now constant time hash comparison is used in the
      "secure_link" directive.

Code (Text):

Changes with nginx 1.30.3                                        17 Jun 2026

   *) Security: a heap memory buffer overflow might occur in a worker
      process while proxying a specially crafted request to a HTTP/2 or
      gRPC backend, if "ignore_invalid_headers" was switched off and
      large values of "large_client_header_buffers" were configured
      (CVE-2026-42055).
      Thanks to Mufeed VH of Winfunc Research.

   *) Security: a heap memory buffer overread might occur in a worker
      process while handling a specially sent response with UTF-8
      decoding in the ngx_http_charset_module (CVE-2026-48142).
      Thanks to Han Yan of Xiaomi and p4p3r of CYBERONE.

---

 

Nginx 1.31.2 Security Bugs Explained

This release addresses 3 security vulnerabilities. Two of them (CVE-2026-42055 and CVE-2026-48142) affect both the mainline (1.31.x) and stable (1.30.x) branches; the third (CVE-2026-42530) is specific to the mainline HTTP/3 code. If you run Centmin Mod Nginx behind Cloudflare CDN Orange cloud-enabled proxy, you are likely already protected from some of these issues - but the most important ones are triggered by backend responses or direct HTTP/3 connections that Cloudflare cannot see, so upgrading regardless is strongly advised.

CVE-2026-42055 - Heap Buffer Overflow proxying to HTTP/2 / gRPC backends

Plain English: When Nginx forwards a request to a backend that speaks HTTP/2 or gRPC, a specially crafted request could overflow a memory buffer inside the Nginx worker process. That can corrupt memory or crash the worker, and in the worst case may have further impact.

• Vulnerability: A heap memory buffer overflow in the ngx_http_proxy_v2_module / ngx_http_grpc_module while proxying a crafted request to an HTTP/2 or gRPC upstream.
• Preconditions: Triggers only when both ignore_invalid_headers off; is set and large values of large_client_header_buffers are configured, while proxying to an HTTP/2 or gRPC backend.
• Affected Versions: Introduced in 1.31.0; fixed in 1.31.2 and 1.30.3.
• Impact: Worker process memory corruption or segmentation fault.
• Who Is Affected: Users running Nginx as a reverse proxy to HTTP/2 or gRPC backends (e.g. gRPC services, Go/Java app servers with HTTP/2 enabled) who have also disabled ignore_invalid_headers and raised large_client_header_buffers. Standard Centmin Mod deployments proxy to PHP-FPM over FastCGI, not HTTP/2/gRPC, and keep the default ignore_invalid_headers on; - so typical setups have low exposure.
• Credit: Mufeed VH of Winfunc Research.

CVE-2026-48142 - Heap Buffer Overread in Charset Module (UTF-8 decoding)

Plain English: When Nginx converts the character set of a response using charset_map with UTF-8 decoding, a malicious/crafted response could make Nginx read past the end of a buffer. This can leak a small amount of worker memory or crash the worker.

• Vulnerability: A heap memory buffer overread in the ngx_http_charset_module while handling a crafted response with UTF-8 decoding.
• Preconditions: Requires charset_map with UTF-8 conversion configured.
• Affected Versions: Fixed in 1.31.2 and 1.30.3.
• Impact: Limited disclosure of worker process memory, or a segmentation fault (worker crash).
• Who Is Affected: Only users who have manually configured charset_map character-set conversion rules. The charset_map directive is not part of default Centmin Mod configurations, so most users are not affected.
• Cloudflare note: This is triggered by the response being processed, not the client request, so a CDN/WAF in front of Nginx does not mitigate it.
• Credit: Han Yan of Xiaomi and p4p3r of CYBERONE.

CVE-2026-42530 - Use-After-Free in HTTP/3 QUIC Module (mainline only)

Plain English: When Nginx serves traffic over HTTP/3 (QUIC), a flaw in how QUIC sessions are processed could cause Nginx to use a chunk of memory after it had already been freed. That can corrupt memory or crash the worker, with potential for further impact.

• Vulnerability: A use-after-free in the ngx_http_v3_module while processing HTTP/3 QUIC sessions.
• Preconditions: Requires HTTP/3 enabled (listen ... quic.
• Affected Versions: Mainline HTTP/3 code; fixed in 1.31.2. Does not apply to the 1.30.x stable branch.
• Impact: Worker process memory corruption or segmentation fault.
• Who Is Affected: Centmin Mod users who have enabled HTTP/3 on their vhosts. If you have not enabled HTTP/3, you are not affected by this CVE.
• Centmin Mod default - HTTP/3 is OFF: Centmin Mod Nginx HTTP/3 (QUIC) support is disabled by default. HTTP/3 requires Nginx to be compiled against a QUIC-capable crypto library, and all of the relevant build switches default to n:
  
  • AWS_LC_SWITCH='n' - AWS-LC (given priority for HTTP/3 QUIC on EL8/9/10)
  • BORINGSSL_SWITCH='n' - BoringSSL
  • NGINX_QUIC_SUPPORT='n' - quictls/openssl-quic path
  Unless you have specifically set one of these to 'y' (e.g. switched to AWS-LC or BoringSSL crypto, or enabled NGINX_QUIC_SUPPORT) in your persistent config /etc/centminmod/custom_config.inc and recompiled Nginx via centmin.sh menu option 4, HTTP/3 is not enabled in your Centmin Mod Nginx. This means the vast majority of Centmin Mod installs are not affected by this CVE.
• Cloudflare note: If HTTP/3 is only served at the Cloudflare edge (Cloudflare terminates QUIC and connects to your origin over HTTP/1.1 or HTTP/2), your origin's QUIC listener is not directly exposed. If your origin serves HTTP/3 directly (non-proxied domains or direct-IP access), you remain exposed.
• Credit: Trung Nguyen of CyStack.