{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32647", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2026-03-18T16:06:38.427Z", "datePublished": "2026-03-24T14:13:25.724Z", "dateUpdated": "2026-03-25T03:55:49.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:40:08.455Z"}, "title": "NGINX ngx_http_mp4_module vulnerability", "datePublic": "2026-03-24T14:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "F5", "product": "NGINX Open Source", "modules": ["ngx_http_mp4_module"], "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "1.1.19", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "NGINX Plus", "modules": ["ngx_http_mp4_module"], "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000160366", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure.", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32647"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:55:49.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32647", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:51:04.619011Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:51:08.365Z"}}], "cna": {"title": "NGINX ngx_http_mp4_module vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["ngx_http_mp4_module"], "product": "NGINX Open Source", "versions": [{"status": "affected", "version": "1.29.0", "lessThan": "1.29.7", "versionType": "semver"}, {"status": "affected", "version": "1.1.19", "lessThan": "1.28.3", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "modules": ["ngx_http_mp4_module"], "product": "NGINX Plus", "versions": [{"status": "affected", "version": "R36", "lessThan": "R36 P3", "versionType": "custom"}, {"status": "affected", "version": "R35", "lessThan": "R35 P2", "versionType": "custom"}, {"status": "affected", "version": "R34", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R33", "lessThan": "*", "versionType": "custom"}, {"status": "affected", "version": "R32", "lessThan": "R32 P5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-24T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000160366", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2026-03-24T14:40:08.455Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32647", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:51:11.133Z", "dateReserved": "2026-03-18T16:06:38.427Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2026-03-24T14:13:25.724Z", "assignerShortName": "f5"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "id": "CVE-2026-32647", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "f5sirt@f5.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2026-03-24T15:16:34.667", "references": [{"source": "f5sirt@f5.com", "url": "https://my.f5.com/manage/s/article/K000160366"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "f5sirt@f5.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Pavel Kohout (Aisle Research) for reporting this issue.", "bugzilla": {"description": "nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files", "id": "2449598", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449598"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in NGINX's ngx_http_mp4_module. This Out-of-Bounds Read/Write vulnerability occurs due to improper handling of specially crafted MP4 files. A local authenticated attacker, by supplying a malicious MP4 file, can trigger a buffer over-read or overwrite in worker memory. This can lead to process termination, potentially causing a denial-of-service or, under certain conditions, achieving code execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, disable the ngx_http_mp4_module in your NGINX configuration if MP4 file processing is not required. This can be done by commenting out or removing the mp4 directive from the NGINX configuration file. After modifying the configuration, a reload or restart of the NGINX service is required for the changes to take effect.\nAlternatively, restrict access to the NGINX server to trusted networks and users to prevent the upload and processing of malicious MP4 files."}, "name": "CVE-2026-32647", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "nginx:1.26/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:insights_proxy:1", "fix_state": "Affected", "package_name": "insights-proxy/insights-proxy-container-rhel9", "product_name": "Red Hat Lightspeed proxy 1"}], "public_date": "2026-03-24T18:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32647\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32647\nhttps://my.f5.com/manage/s/article/K000160366"], "statement": "This IMPORTANT vulnerability in the NGINX ngx_http_mp4_module is due to improper handling of specially crafted MP4 files. A local authenticated attacker could exploit this flaw by providing a malicious MP4 file, leading to a denial of service or potentially arbitrary code execution. Red Hat products utilizing NGINX with the ngx_http_mp4_module enabled are affected if untrusted MP4 files are processed.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.29.0,1.29.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.19,1.28.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Open Source", "source": "cna", "vendor": "F5"}, "product": "nginx_open_source", "vendor": "f5"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R36,R36 P3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R35,R35 P2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R34,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R33,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[R32,R32 P5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NGINX Plus", "source": "cna", "vendor": "F5"}, "product": "nginx_plus", "vendor": "f5"}], "analysis": {"en": {"generated_at": "2026-03-24T16:24:06.613286+00:00", "value": {"mitigation_remediation": ["Apply the latest NGINX release that includes the mp4 module patch", "Rebuild NGINX without the ngx_http_mp4_module if upgrading is not feasible", "Remove or disable the mp4 directive from configuration files", "Monitor server logs for unusual worker terminations or memory errors"], "summary": {"action": "Patch Now", "impact": "Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects both the open\u2011source edition of Nginx and Nginx Plus when they are compiled with the ngx_http_mp4_module and the mp4 directive is present in the configuration. No specific version ranges are provided, so any build that uses this module without a patch is potentially at risk. Vendors recommend updating to the latest patched releases.", "description_and_impact": "Nginx can over\u2011read or over\u2011write memory in the MP4 module, potentially allowing an attacker to terminate a worker process or achieve code execution. The flaw stems from improper bounds checking of MP4 file data, aligning with the out\u2011of\u2011bounds read weakness defined by CWE\u2011125. An external attacker may trigger the error by sending a specifically crafted MP4 file to a server that has the mp4 directive active.", "risk_and_exploitability": "The CVSS score of 8.5 reflects a high severity risk, and the lack of an EPSS entry indicates that the probability of exploitation is not currently quantified. The attack requires an attacker to deliver a specially crafted MP4 file over a network where the server processes MP4 content. If an attacker succeeds, they may cause a worker to crash or potentially run arbitrary code, which could lead to further compromise. The vulnerability is not listed in the KEV catalog, suggesting no widely known exploitation at the time of assessment."}}}}, "created": "2026-03-25T11:47:33.421315+00:00", "updated": "2026-03-25T20:50:11.937208+00:00", "vendors": ["f5", "f5$PRODUCT$nginx_open_source", "f5$PRODUCT$nginx_plus"]}