CVE-2026-32647

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000160366	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:f5:nginx_plus:r32:p1::::::
	cpe:2.3:a:f5:nginx_plus:r32:p2::::::
	cpe:2.3:a:f5:nginx_plus:r32:p3::::::
	cpe:2.3:a:f5:nginx_plus:r32:p4::::::
	cpe:2.3:a:f5:nginx_plus:r33:::::::*
	cpe:2.3:a:f5:nginx_plus:r33:p1::::::
	cpe:2.3:a:f5:nginx_plus:r33:p2::::::
	cpe:2.3:a:f5:nginx_plus:r33:p3::::::
	cpe:2.3:a:f5:nginx_plus:r34:::::::*
	cpe:2.3:a:f5:nginx_plus:r34:p1::::::
	cpe:2.3:a:f5:nginx_plus:r34:p2::::::
	cpe:2.3:a:f5:nginx_plus:r35:::::::*
	cpe:2.3:a:f5:nginx_plus:r35:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:::::::*
	cpe:2.3:a:f5:nginx_plus:r36:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:p2::::::

Configuration 2 (hide)

OR	cpe:2.3:a:f5:nginx_open_source::::::::
	cpe:2.3:a:f5:nginx_open_source::::::::

History

26 Mar 2026, 21:11

Type	Values Removed	Values Added
Summary		(es) NGINX Open Source y NGINX Plus tienen una vulnerabilidad en el módulo ngx_http_mp4_module, que podría permitir a un atacante desencadenar una lectura o escritura excesiva de búfer en la memoria del proceso worker de NGINX, lo que resultaría en su terminación o posiblemente en la ejecución de código, utilizando un archivo MP4 especialmente diseñado. Este problema afecta a NGINX Open Source y NGINX Plus si está compilado con el módulo ngx_http_mp4_module y la directiva mp4 se utiliza en el archivo de configuración. Además, el ataque es posible solo si un atacante puede desencadenar el procesamiento de un archivo MP4 especialmente diseñado con el módulo ngx_http_mp4_module. Nota: Las versiones de software que han alcanzado el Fin de Soporte Técnico (EoTS) no son evaluadas.
References	~~() https://my.f5.com/manage/s/article/K000160366 -~~	() https://my.f5.com/manage/s/article/K000160366 - Vendor Advisory
First Time		F5 nginx Open Source F5 nginx Plus F5
CPE		cpe:2.3:a:f5:nginx_plus:r32:p2:::::: cpe:2.3:a:f5:nginx_plus:r33:::::::* cpe:2.3:a:f5:nginx_plus:r36:p2:::::: cpe:2.3:a:f5:nginx_plus:r32:p3:::::: cpe:2.3:a:f5:nginx_plus:r36:::::::* cpe:2.3:a:f5:nginx_open_source:::::::: cpe:2.3:a:f5:nginx_plus:r35:::::::* cpe:2.3:a:f5:nginx_plus:r36:p1:::::: cpe:2.3:a:f5:nginx_plus:r32:p4:::::: cpe:2.3:a:f5:nginx_plus:r33:p3:::::: cpe:2.3:a:f5:nginx_plus:r34:p1:::::: cpe:2.3:a:f5:nginx_plus:r35:p1:::::: cpe:2.3:a:f5:nginx_plus:r34:::::::* cpe:2.3:a:f5:nginx_plus:r34:p2:::::: cpe:2.3:a:f5:nginx_plus:r33:p2:::::: cpe:2.3:a:f5:nginx_plus:r32:p1:::::: cpe:2.3:a:f5:nginx_plus:r33:p1::::::

24 Mar 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 15:16

Updated : 2026-03-26 21:11

NVD link : CVE-2026-32647

Mitre link : CVE-2026-32647

CVE.ORG link : CVE-2026-32647

JSON object : View

Products Affected

nginx_plus
nginx_open_source

CWE

CWE-125

Out-of-bounds Read

7.8 /10