Unrated severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026
NGINX ngx_http_mp4_module vulnerability
CVE-2026-32647
Description
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected products
24(expand)+ 1 more
- (no CPE)
- (no CPE)range: R36
- osv-coords21 versionspkg:bitnami/nginxpkg:bitnami/nginx-gatewaypkg:rpm/almalinux/nginxpkg:rpm/almalinux/nginx-all-modulespkg:rpm/almalinux/nginx-corepkg:rpm/almalinux/nginx-filesystempkg:rpm/almalinux/nginx-mod-develpkg:rpm/almalinux/nginx-mod-http-image-filterpkg:rpm/almalinux/nginx-mod-http-perlpkg:rpm/almalinux/nginx-mod-http-xslt-filterpkg:rpm/almalinux/nginx-mod-mailpkg:rpm/almalinux/nginx-mod-streampkg:rpm/opensuse/nginx&distro=openSUSE%20Tumbleweedpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/nginx&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5
>= 1.1.19, < 1.28.3+ 20 more
- (no CPE)range: >= 1.1.19, < 1.28.3
- (no CPE)range: >= 1.1.19, < 1.28.3
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 2:1.26.3-2.el10_1.1
- (no CPE)range: < 1:1.24.0-5.module_el9.7.0+220+47ec8b91.2.alma.1
- (no CPE)range: < 2:1.26.3-2.el10_1.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1:1.24.0-3.module_el8.10.0+4159+021b4a2a.alma.1
- (no CPE)range: < 1.29.7-1.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
- (no CPE)range: < 1.21.5-150400.3.20.1
Patches
Vulnerability mechanics
References
1- my.f5.com/manage/s/article/K000160366mitrevendor-advisory
News mentions
0No linked articles in our index yet.