Which versions of Nginx are affected by EUVD-2026-14883?

A memory corruption vulnerability in NGINX's MP4 processing module (CVE-2026-27784) affects 32-bit server installations and could allow attackers to crash services by uploading malicious MP4 files.. A patch is available.

Nginx EUVD-2026-14883

Q: What is the CVSS score of EUVD-2026-14883?

EUVD-2026-14883 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-27784 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-03-24 f5

GHSA-hwq5-42j9-jvqj

Information Disclosure Integer Overflow Nginx Red Hat Suse

8.5

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 10, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Mar 24, 2026 - 14:45 euvd

EUVD-2026-14883

Analysis Generated

Mar 24, 2026 - 14:45 vuln.today

CVE Published

Mar 24, 2026 - 14:13 nvd

HIGH 8.5

DescriptionNVD

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AnalysisAI

Integer overflow in NGINX 32-bit builds with the ngx_http_mp4_module allows local attackers to corrupt or overwrite worker process memory via specially crafted MP4 files, leading to denial of service. The vulnerability requires the mp4 directive to be enabled in the configuration and an attacker's ability to trigger MP4 file processing. …

RemediationAI

Within 24 hours: Inventory all 32-bit NGINX deployments and identify which have the mp4 module enabled and configured. Within 7 days: Implement compensating controls (disable MP4 module if not business-critical, apply WAF rules to block suspicious MP4 uploads, or restrict MP4 processing to trusted internal sources). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory