CVE-2026-32647

EUVD-2026-14897

24.03.2026, 15:16

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Affected Products (NVD)

Vendor	Product	Version
f5	nginx_open_source	1.1.19 ≤ 𝑥 < 1.28.3
f5	nginx_open_source	1.29.0 ≤ 𝑥 < 1.29.7

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

nginx

suse enterprise sap 15 SP4	1.21.5-150400.3.20.1 fixed
suse enterprise sap 15 SP5	1.21.5-150400.3.20.1 fixed
suse enterprise sap 15 SP7	1.21.5-150600.10.18.1 fixed
suse enterprise server 15 SP4	1.21.5-150400.3.20.1 fixed
suse enterprise server 15 SP5	1.21.5-150400.3.20.1 fixed
suse enterprise server 15 SP6	1.21.5-150600.10.18.1 fixed
suse enterprise server 15 SP7	1.21.5-150600.10.18.1 fixed

nginx-source

suse enterprise sap 15 SP4	1.21.5-150400.3.20.1 fixed
suse enterprise sap 15 SP5	1.21.5-150400.3.20.1 fixed
suse enterprise sap 15 SP7	1.21.5-150600.10.18.1 fixed
suse enterprise server 15 SP4	1.21.5-150400.3.20.1 fixed
suse enterprise server 15 SP5	1.21.5-150400.3.20.1 fixed
suse enterprise server 15 SP6	1.21.5-150600.10.18.1 fixed
suse enterprise server 15 SP7	1.21.5-150600.10.18.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

nginx-core

RHEL 9

2:1.20.1-24.el9_7.2

fixed

nginx-mod-mail

RHEL 9

2:1.20.1-24.el9_7.2

fixed

Amazon Linux Releases

Amazon Package

Release

nginx

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-all-modules

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-core

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-core-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-debugsource

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-filesystem

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-devel

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-image-filter

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-image-filter-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-perl

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-perl-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-xslt-filter

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-http-xslt-filter-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-mail

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-mail-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-stream

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

nginx-mod-stream-debuginfo

Amazon Linux 2023

1:1.28.3-1.amzn2023.0.1

fixed

Azure Linux Releases

Azure Package

Release

nginx

Azure Linux 3.0	0:1.28.3-1.azl3 fixed
CBL-Mariner 2.0	0:1.22.1-16.cm2 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://my.f5.com/manage/s/article/K000160366