Skip to main content

Nginx Open Source CVE-2026-27784

| EUVDEUVD-2026-14883 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-24 f5 GHSA-hwq5-42j9-jvqj
8.5
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14883
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 14:13 nvd
HIGH 8.5

DescriptionCVE.org

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite worker process memory via specially crafted MP4 files, leading to denial of service. The vulnerability requires the mp4 directive to be enabled in the configuration and an attacker's ability to trigger MP4 file processing. No patch is currently available for affected deployments.

Technical ContextAI

This vulnerability resides in NGINX Open Source's ngx_http_mp4_module, a module designed to serve MP4 video files with seeking support and pseudo-streaming capabilities. The affected product is identified via CPE cpe:2.3:a:f5:nginx_open_source and is specifically limited to 32-bit architectures. The root cause is classified as CWE-190 (Integer Overflow or Wraparound), indicating that arithmetic operations on MP4 file metadata likely exceed 32-bit integer boundaries, leading to memory corruption. The ngx_http_mp4_module parses MP4 container metadata to enable features like byte-range requests and seeking, and improper validation of these values on 32-bit systems allows crafted files to trigger out-of-bounds memory access. The vulnerability only manifests when the mp4 directive is explicitly enabled in the NGINX configuration, meaning many deployments using NGINX for reverse proxying or static file serving without MP4 pseudo-streaming are not affected.

RemediationAI

Consult the F5 security advisory at https://my.f5.com/manage/s/article/K000160364 for specific patched versions of NGINX Open Source and upgrade immediately to the recommended release that addresses this integer overflow vulnerability. If immediate patching is not feasible, implement the following mitigations: migrate 32-bit NGINX installations to 64-bit architectures where the vulnerability does not manifest, disable the ngx_http_mp4_module or remove the mp4 directive from configuration files if MP4 pseudo-streaming is not required, implement strict input validation and file type restrictions to prevent processing of untrusted MP4 files, or isolate the NGINX worker processes using operating system-level sandboxing mechanisms such as seccomp, AppArmor, or SELinux to limit the impact of memory corruption. Organizations should prioritize migration to 64-bit systems as 32-bit architectures are increasingly deprecated and receive reduced security support.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42530 CRITICAL POC
9.2 Jun 17

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2026-32647 HIGH
8.5 Mar 24

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 8 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-27784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy