8.5

CVE-2026-32647

Medienbericht

NGINX ngx_http_mp4_module vulnerability

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
F5Nginx Plus Versionr32 Updatep1
F5Nginx Plus Versionr32 Updatep2
F5Nginx Plus Versionr32 Updatep3
F5Nginx Plus Versionr32 Updatep4
F5Nginx Plus Versionr33
F5Nginx Plus Versionr33 Updatep1
F5Nginx Plus Versionr33 Updatep2
F5Nginx Plus Versionr33 Updatep3
F5Nginx Plus Versionr34
F5Nginx Plus Versionr34 Updatep1
F5Nginx Plus Versionr34 Updatep2
F5Nginx Plus Versionr35
F5Nginx Plus Versionr35 Updatep1
F5Nginx Plus Versionr36
F5Nginx Plus Versionr36 Updatep1
F5Nginx Plus Versionr36 Updatep2
F5Nginx Open Source Version >= 1.1.19 < 1.28.3
F5Nginx Open Source Version >= 1.29.0 < 1.29.7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.92% 0.557
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
f5sirt@f5.com 8.5 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
f5sirt@f5.com 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
01.04.2026 09:30
https://my.f5.com/manage/s/article/K000160366
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:10065
https://access.redhat.com/errata/RHSA-2026:13634
https://access.redhat.com/errata/RHSA-2026:13680
https://access.redhat.com/errata/RHSA-2026:13839
https://access.redhat.com/errata/RHSA-2026:14836
https://access.redhat.com/errata/RHSA-2026:15942
https://access.redhat.com/errata/RHSA-2026:15943
https://access.redhat.com/errata/RHSA-2026:15945
https://access.redhat.com/errata/RHSA-2026:15966
https://access.redhat.com/errata/RHSA-2026:6906
https://access.redhat.com/errata/RHSA-2026:6907
https://access.redhat.com/errata/RHSA-2026:6923
https://access.redhat.com/errata/RHSA-2026:7002
https://access.redhat.com/errata/RHSA-2026:7343
https://access.redhat.com/errata/RHSA-2026:8346
https://access.redhat.com/security/cve/CVE-2026-32647
https://bugzilla.redhat.com/show_bug.cgi?id=2449598
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32647.json