This release includes 6 security fixes for security teams reviewing exposed deployments.
Topics
+9 more
Affected surfaces
ReleasePort's take
Light signalReleasePort Layer 1 release 1.30.1 patches five critical security flaws affecting HTTP/2, HTTP/3, and several NGINX modules.
Why it matters: CVEs CVE-2026-42926 (HTTP/2 injection), CVE-2026-40460 (address spoofing in HTTP/3), and three buffer‑overrun issues require patching immediately to prevent remote code execution or data leakage.
Summary
AI summaryCVE-2026-42926 fixes an HTTP/2 request injection vulnerability in ngx_http_proxy_module.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Fixes use-after-free vulnerability (CVE-2026-40701) in OCSP requests to resolver. Fixes use-after-free vulnerability (CVE-2026-40701) in OCSP requests to resolver. Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Security | Medium |
Fixes HTTP/2 request injection vulnerability CVE-2026-42926 in ngx_http_proxy_module. Fixes HTTP/2 request injection vulnerability CVE-2026-42926 in ngx_http_proxy_module. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Fixes buffer overflow vulnerability CVE-2026-42945 in ngx_http_rewrite_module. Fixes buffer overflow vulnerability CVE-2026-42945 in ngx_http_rewrite_module. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Fixes buffer overread vulnerabilities CVE-2026-42946 in ngx_http_scgi_module and ngx_http_uwsgi_module. Fixes buffer overread vulnerabilities CVE-2026-42946 in ngx_http_scgi_module and ngx_http_uwsgi_module. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Fixes buffer overread vulnerability CVE-2026-42934 in ngx_http_charset_module. Fixes buffer overread vulnerability CVE-2026-42934 in ngx_http_charset_module. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
Fixes address spoofing vulnerability CVE-2026-40460 in HTTP/3. Fixes address spoofing vulnerability CVE-2026-40460 in HTTP/3. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
nginx-1.30.1 stable version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701).
See official CHANGES-1.30 on nginx.org.
Below is a release summary generated by GitHub.
What's Changed
- nginx-1.30.1-RELEASE by @pluknet in https://github.com/nginx/nginx/pull/1351
Full Changelog: https://github.com/nginx/nginx/compare/release-1.30.0...release-1.30.1
Security Fixes
- CVE-2026-42926 — HTTP/2 request injection vulnerability in ngx_http_proxy_module
- CVE-2026-42945 — Buffer overflow vulnerability in ngx_http_rewrite_module
- CVE-2026-42946 — Buffer overread vulnerabilities in ngx_http_scgi_module and ngx_http_uwsgi_module
- CVE-2026-42934 — Buffer overread vulnerability in ngx_http_charset_module
- CVE-2026-40460 — Address spoofing vulnerability in HTTP/3
- CVE-2026-40701 — Use-after-free vulnerability in OCSP requests to resolver
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About NGINX
HTTP and reverse proxy server, mail proxy server, and generic TCP/UDP proxy server.
Beta — feedback welcome: [email protected]