Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026

NGINX ngx_http_mp4_module vulnerability

CVE-2026-27784

Description

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected products

Nginx/Nginxllm-fuzzy
F5/NGINX Open Sourcev5
Range: 1.29.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

my.f5.com/manage/s/article/K000160364mitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000