8.5

CVE-2026-27784

NGINX ngx_http_mp4_module vulnerability

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
F5Nginx Open Source Version >= 1.1.19 < 1.28.3
F5Nginx Open Source Version >= 1.29.0 < 1.29.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.03% 0.594
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
f5sirt@f5.com 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
f5sirt@f5.com 8.5 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://my.f5.com/manage/s/article/K000160364
Vendor Advisory
Mitigation
https://access.redhat.com/errata/RHSA-2026:10065
https://access.redhat.com/errata/RHSA-2026:13634
https://access.redhat.com/errata/RHSA-2026:13680
https://access.redhat.com/errata/RHSA-2026:13839
https://access.redhat.com/errata/RHSA-2026:14836
https://access.redhat.com/errata/RHSA-2026:15942
https://access.redhat.com/errata/RHSA-2026:15943
https://access.redhat.com/errata/RHSA-2026:15945
https://access.redhat.com/errata/RHSA-2026:15966
https://access.redhat.com/errata/RHSA-2026:6906
https://access.redhat.com/errata/RHSA-2026:6907
https://access.redhat.com/errata/RHSA-2026:6923
https://access.redhat.com/errata/RHSA-2026:7002
https://access.redhat.com/errata/RHSA-2026:7343
https://access.redhat.com/errata/RHSA-2026:8346
https://access.redhat.com/security/cve/CVE-2026-27784
https://bugzilla.redhat.com/show_bug.cgi?id=2450785
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27784.json