CVE-2026-32647

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://my.f5.com/manage/s/article/K000160366	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:f5:nginx_plus:r32:p1::::::
	cpe:2.3:a:f5:nginx_plus:r32:p2::::::
	cpe:2.3:a:f5:nginx_plus:r32:p3::::::
	cpe:2.3:a:f5:nginx_plus:r32:p4::::::
	cpe:2.3:a:f5:nginx_plus:r33:::::::*
	cpe:2.3:a:f5:nginx_plus:r33:p1::::::
	cpe:2.3:a:f5:nginx_plus:r33:p2::::::
	cpe:2.3:a:f5:nginx_plus:r33:p3::::::
	cpe:2.3:a:f5:nginx_plus:r34:::::::*
	cpe:2.3:a:f5:nginx_plus:r34:p1::::::
	cpe:2.3:a:f5:nginx_plus:r34:p2::::::
	cpe:2.3:a:f5:nginx_plus:r35:::::::*
	cpe:2.3:a:f5:nginx_plus:r35:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:::::::*
	cpe:2.3:a:f5:nginx_plus:r36:p1::::::
	cpe:2.3:a:f5:nginx_plus:r36:p2::::::

Configuration 2 (hide)

OR	cpe:2.3:a:f5:nginx_open_source::::::::
	cpe:2.3:a:f5:nginx_open_source::::::::

History

No history.

Information

Published : 2026-03-24 15:16

Updated : 2026-03-26 21:11

NVD link : CVE-2026-32647

Mitre link : CVE-2026-32647

CVE.ORG link : CVE-2026-32647

JSON object : View

Products Affected

f5

nginx_plus
nginx_open_source

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2026-32647", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "f5sirt@f5.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "f5sirt@f5.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T15:16:34.667", "references": [{"url": "https://my.f5.com/manage/s/article/K000160366", "tags": ["Vendor Advisory"], "source": "f5sirt@f5.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "f5sirt@f5.com", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "NGINX Open Source y NGINX Plus tienen una vulnerabilidad en el m\u00f3dulo ngx_http_mp4_module, que podr\u00eda permitir a un atacante desencadenar una lectura o escritura excesiva de b\u00fafer en la memoria del proceso worker de NGINX, lo que resultar\u00eda en su terminaci\u00f3n o posiblemente en la ejecuci\u00f3n de c\u00f3digo, utilizando un archivo MP4 especialmente dise\u00f1ado. Este problema afecta a NGINX Open Source y NGINX Plus si est\u00e1 compilado con el m\u00f3dulo ngx_http_mp4_module y la directiva mp4 se utiliza en el archivo de configuraci\u00f3n. Adem\u00e1s, el ataque es posible solo si un atacante puede desencadenar el procesamiento de un archivo MP4 especialmente dise\u00f1ado con el m\u00f3dulo ngx_http_mp4_module.\n\nNota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no son evaluadas."}], "lastModified": "2026-03-26T21:11:50.710", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA913184-EAAD-409E-99C6-AB979DAA93F3"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "782DF180-1101-4D6A-A1D7-8DADBAF6D9D3"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB0B11F2-4748-492B-9906-F8C4C5EAFF12"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86B53968-1CCA-4CF3-8454-BB92EF64D10E"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F58BD02-EA76-4F32-87D6-430026C8553E"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46DC49B8-7286-4867-9CDA-1C1B469CD304"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43477C2E-7485-4146-B25C-F58D632CD85B"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A25B9CF-02C0-42DE-9C70-F2AD3ACE3CEB"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86358605-55F9-4F6F-846A-3F48738F6E05"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7453D683-FCA7-46EE-BE49-5FD9A01D7F87"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A977BF9F-D165-4B93-B4D2-A177883A5E75"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C643CEF2-F421-4E2C-AD39-51CE820F2238"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4958360C-7993-4C82-8685-202D4940CE01"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "942CA349-3FF8-4B9D-B87E-FBA8930CE913"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7993A0FB-BE7E-4634-BF7F-FDEE3582D3E7"}, {"criteria": "cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "862EA47E-8D57-434E-9C8F-238325FB85B2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "510D19AC-5184-437F-B196-1454B33B6E49", "versionEndExcluding": "1.28.3", "versionStartIncluding": "1.1.19"}, {"criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C0EFE28B-E8E5-464E-B407-96436CA87C8E", "versionEndExcluding": "1.29.7", "versionStartIncluding": "1.29.0"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}