Skip to main content

Nginx Open Source CVE-2026-32647

| EUVDEUVD-2026-14897 HIGH
Out-of-bounds Read (CWE-125)
2026-03-24 f5
8.5
CVSS 4.0 · Vendor: f5
Share

Severity by source

Vendor (f5) PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (f5).

CVSS VectorVendor: f5

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:18 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.28.3,1.29.7
EUVD ID Assigned
Mar 24, 2026 - 14:45 euvd
EUVD-2026-14897
Analysis Generated
Mar 24, 2026 - 14:45 vuln.today
CVE Published
Mar 24, 2026 - 14:13 nvd
HIGH 8.5

DescriptionCVE.org

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted mp4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).

Technical ContextAI

The ngx_http_mp4_module is an NGINX module that provides pseudo-streaming support for MP4 files, enabling byte-range requests and seeking within video files. According to the CPE data, both NGINX Open Source (cpe:2.3:a:f5:nginx_open_source) and NGINX Plus (cpe:2.3:a:f5:nginx_plus) maintained by F5 are affected. The root cause is classified as CWE-125 (Out-of-bounds Read), though the description indicates both over-read and over-write conditions are possible, suggesting potential memory corruption vulnerabilities in the MP4 file parsing logic. The module must be explicitly compiled into NGINX and the mp4 directive must be present in the configuration file for the system to be vulnerable, limiting the attack surface to deployments specifically using MP4 streaming functionality.

RemediationAI

Consult the F5 security advisory at https://my.f5.com/manage/s/article/K000160366 for specific patch versions and upgrade instructions for both NGINX Open Source and NGINX Plus. As an immediate mitigation, if MP4 streaming functionality is not required, disable the ngx_http_mp4_module by removing or commenting out mp4 directives from the NGINX configuration file and recompiling NGINX without the module if possible. For environments that require MP4 processing, implement strict input validation and file upload controls, restrict which users or processes can trigger MP4 file processing, and isolate NGINX workers using operating system-level sandboxing or containerization to limit the impact of potential code execution. Apply the principle of least privilege to the NGINX worker processes to minimize the attack surface until patching is complete.

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

CVE-2026-42530 CRITICAL POC
9.2 Jun 17

Use-after-free in NGINX Open Source's ngx_http_v3_module allows remote unauthenticated attackers to crash worker process

CVE-2026-42055 CRITICAL POC
9.2 Jun 17

Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups

CVE-2026-9256 CRITICAL POC
9.2 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem

CVE-2026-42533 CRITICAL
9.2 Jul 15

Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D

CVE-2026-27654 HIGH
8.8 Mar 24

Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside

CVE-2026-60005 HIGH
8.8 Jul 15

Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt

CVE-2026-27651 HIGH
8.7 Mar 24

NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen

CVE-2026-27784 HIGH
8.5 Mar 24

Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite work

CVE-2026-42946 HIGH
8.3 May 13

Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p

CVE-2026-56434 HIGH
8.3 Jul 15

Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-

CVE-2024-24990 HIGH
7.5 Feb 14

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-32647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy