EUVD-2026-14883
GHSA-hwq5-42j9-jvqj
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Analysis
Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite worker process memory via specially crafted MP4 files, leading to denial of service. The vulnerability requires the mp4 directive to be enabled in the configuration and an attacker's ability to trigger MP4 file processing. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all 32-bit NGINX deployments and identify which have the mp4 module enabled and configured. Within 7 days: Implement compensating controls (disable MP4 module if not business-critical, apply WAF rules to block suspicious MP4 uploads, or restrict MP4 processing to trusted internal sources). …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today