Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-03-24
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption that may lead to code execution in NGINX workers
Action: Immediate patch
AI Analysis

Impact

NGINX Open Source and NGINX Plus contain a flaw in the ngx_http_mp4_module that allows a specially crafted MP4 file to trigger a buffer over‑read or over‑write of worker memory. The resulting memory corruption can terminate the worker process or, in the worst case, enable arbitrary code execution within the NGINX worker’s context. This is a classic out‑of‑bounds read/write condition (CWE‑125).

Affected Systems

The vulnerability affects all builds of F5's NGINX Open Source and NGINX Plus that include the ngx_http_mp4_module and use the mp4 directive in their configuration. Specific product versions are not listed, so any installed version built with the module is potentially vulnerable. The module is present in NGINX Plus releases from r32 onward, but all such builds are covered by the advisory.

Risk and Exploitability

The CVSS base score of 8.5 indicates high severity, but the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a crafted MP4 file that flows through the ngx_http_mp4_module, limiting the threat to environments that serve MP4 traffic via this module. Nonetheless, a successful exploit could crash workers or provide code‑execution privileges, warranting prompt mitigation.

Generated by OpenCVE AI on March 26, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NGINX to the latest stable release that contains the fix for the ngx_http_mp4_module vulnerability, following the vendor advisory at https://my.f5.com/manage/s/article/K000160366.
  • If an update is not yet available or feasible, disable the ngx_http_mp4_module or remove any mp4 directives from the configuration to eliminate the attack surface.
  • Restrict access to MP4 files by applying firewall or ACL rules that allow only trusted sources, or serve MP4 content through a separate backend that does not use the vulnerable module.
  • Monitor NGINX worker process health and logs for unexpected crashes or memory errors and adjust alerting accordingly.
  • Verify the NGINX configuration with `nginx -t` after changes and confirm that the module is no longer loaded.

Generated by OpenCVE AI on March 26, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Open Source
F5 nginx Plus
Vendors & Products F5
F5 nginx Open Source
F5 nginx Plus

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted mp4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted mp4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX ngx_http_mp4_module vulnerability
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Open Source Nginx Plus
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-03-25T03:55:49.464Z

Reserved: 2026-03-18T16:06:38.427Z

Link: CVE-2026-32647

cve-icon Vulnrichment

Updated: 2026-03-24T14:51:08.365Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:34.667

Modified: 2026-03-26T21:11:50.710

Link: CVE-2026-32647

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T18:00:00Z

Links: CVE-2026-32647 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:03Z

Weaknesses