NGINX ngx_http_mp4_module vulnerability
Summary
| CVE | CVE-2026-32647 |
|---|---|
| State | PUBLISHED |
| Assigner | f5 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-24 15:16:34 UTC |
| Updated | 2026-07-15 02:20:00 UTC |
| Description | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
Risk And Classification
Primary CVSS: v4.0 8.5 HIGH from [email protected]
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-125 | CWE-125 CWE-125 Out-of-bounds Read | CWE-125 Out-of-bounds Read
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.5 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.5 | HIGH | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| 3.1 | ADP | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | F5 | Nginx Open Source | All | All | All | All |
| Application | F5 | Nginx Plus | r32 | p1 | All | All |
| Application | F5 | Nginx Plus | r32 | p2 | All | All |
| Application | F5 | Nginx Plus | r32 | p3 | All | All |
| Application | F5 | Nginx Plus | r32 | p4 | All | All |
| Application | F5 | Nginx Plus | r33 | All | All | All |
| Application | F5 | Nginx Plus | r33 | p1 | All | All |
| Application | F5 | Nginx Plus | r33 | p2 | All | All |
| Application | F5 | Nginx Plus | r33 | p3 | All | All |
| Application | F5 | Nginx Plus | r34 | All | All | All |
| Application | F5 | Nginx Plus | r34 | p1 | All | All |
| Application | F5 | Nginx Plus | r34 | p2 | All | All |
| Application | F5 | Nginx Plus | r35 | All | All | All |
| Application | F5 | Nginx Plus | r35 | p1 | All | All |
| Application | F5 | Nginx Plus | r36 | All | All | All |
| Application | F5 | Nginx Plus | r36 | p1 | All | All |
| Application | F5 | Nginx Plus | r36 | p2 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | F5 | NGINX Open Source | affected 1.29.0 1.29.7 semver | Not specified |
| CNA | F5 | NGINX Open Source | affected 1.1.19 1.28.3 semver | Not specified |
| CNA | F5 | NGINX Plus | affected R36 R36 P3 custom | Not specified |
| CNA | F5 | NGINX Plus | affected R35 R35 P2 custom | Not specified |
| CNA | F5 | NGINX Plus | affected R34 * custom | Not specified |
| CNA | F5 | NGINX Plus | affected R33 * custom | Not specified |
| CNA | F5 | NGINX Plus | affected R32 R32 P5 custom | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 2:1.26.3-2.el10_1.1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 2:1.26.3-1.el10_0.8 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | unaffected 8100020260401080144.489197e6 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 9070020260331134728.9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 2:1.20.1-24.el9_7.2 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 9070020260407080353.9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.0 Update Services For SAP Solutions | unaffected 1:1.20.1-10.el9_0.3 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.2 Update Services For SAP Solutions | unaffected 1:1.20.1-14.el9_2.5 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support | unaffected 1:1.20.1-16.el9_4.5 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.4 Extended Update Support | unaffected 9040020260504195322.9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support | unaffected 2:1.20.1-22.el9_6.5 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support | unaffected 9060020260504194843.9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support | unaffected 9060020260504154614.9 * rpm | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | unaffected 1.30.0-1.hum1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 5 | unaffected 1776868774 * rpm | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 5 | unaffected 1776868842 * rpm | Not specified |
| ADP | Red Hat | Red Hat Lightspeed Proxy 1 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:15945 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6906 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32647.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-32647 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15966 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8346 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7002 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6923 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15942 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| my.f5.com/manage/s/article/K000160366 | [email protected] | my.f5.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:13680 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10065 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13634 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:15943 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14836 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13839 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6907 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:7343 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-20T11:44:34.715Z | Reported to Red Hat. |
| ADP | 2026-03-24T18:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:13634: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:6906: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:6907: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:15942: Red Hat Enterprise Linux AppStream E4S (v.9.0)
ADP: RHSA-2026:14836: Red Hat Enterprise Linux AppStream E4S (v.9.2)
ADP: RHSA-2026:13839: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)
ADP: RHSA-2026:15943: Red Hat Enterprise Linux AppStream EUS (v.9.4)
ADP: RHSA-2026:15945: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:13680: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:15966: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:6923: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7002: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:7343: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:8346: Red Hat Hardened Images
ADP: RHSA-2026:10065: Red Hat Update Infrastructure 5
Workarounds
ADP: To mitigate this issue, disable the ngx_http_mp4_module in your NGINX configuration if MP4 file processing is not required. This can be done by commenting out or removing the mp4 directive from the NGINX configuration file. After modifying the configuration, a reload or restart of the NGINX service is required for the changes to take effect. Alternatively, restrict access to the NGINX server to trusted networks and users to prevent the upload and processing of malicious MP4 files.