CVE-2026-27784

EUVD-2026-14883
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
f5nginx_open_source
1.1.19 ≤
𝑥
< 1.28.3
f5nginx_open_source
1.29.0 ≤
𝑥
< 1.29.7
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nginx
suse enterprise sap 15 SP7
1.21.5-150600.10.15.1
fixed
suse enterprise server 15 SP6
1.21.5-150600.10.15.1
fixed
suse enterprise server 15 SP7
1.21.5-150600.10.15.1
fixed
nginx-source
suse enterprise sap 15 SP7
1.21.5-150600.10.15.1
fixed
suse enterprise server 15 SP6
1.21.5-150600.10.15.1
fixed
suse enterprise server 15 SP7
1.21.5-150600.10.15.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
nginx-core
RHEL 9
2:1.20.1-24.el9_7.2
fixed
nginx-mod-mail
RHEL 9
2:1.20.1-24.el9_7.2
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://my.f5.com/manage/s/article/K000160364