CVE-2026-32647

HIGH EPSS 25.1%
Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago
8.5 CVSS 4.0
High
Find Similar
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

Base Score
8.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
25.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 18

VendorProductVersionRange
f5nginx_plusr32any
f5nginx_plusr32any
f5nginx_plusr32any
f5nginx_plusr32any
f5nginx_plusr33any
f5nginx_plusr33any
f5nginx_plusr33any
f5nginx_plusr33any
f5nginx_plusr34any
f5nginx_plusr34any
f5nginx_plusr34any
f5nginx_plusr35any
f5nginx_plusr35any
f5nginx_plusr36any
f5nginx_plusr36any
f5nginx_plusr36any
f5nginx_open_source*≥1.1.19  –  <1.28.3
f5nginx_open_source*≥1.29.0  –  <1.29.7

References 1

  • my.f5.com https://my.f5.com/manage/s/article/K000160366
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.