CVE-2026-32647

Awaiting Analysis Awaiting Analysis - Queue

Buffer Overflow in NGINX ngx_http_mp4_module Enables Code Execution

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: F5 Networks

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-24

Last Modified

2026-03-26

Generated

2026-06-16

AI Q&A

2026-03-24

EPSS Evaluated

2026-06-15

NVD

CVE-2026-32647

EUVD

EUVD-2026-14897

Affected Vendors & Products

Vendor	Product	Version / Range
f5	nginx_plus	r32
f5	nginx_plus	r32
f5	nginx_plus	r33
f5	nginx_plus	r33
f5	nginx_plus	r34
f5	nginx_plus	r32
f5	nginx_plus	r33
f5	nginx_plus	r34
f5	nginx_plus	r36
f5	nginx_plus	r33
f5	nginx_plus	r34
f5	nginx_plus	r35
f5	nginx_plus	r36
f5	nginx_plus	r36
f5	nginx_plus	r32
f5	nginx_plus	r35
f5	nginx_open_source	From 1.29.0 (inc) to 1.29.7 (exc)
f5	nginx_open_source	From 1.1.19 (inc) to 1.28.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-125	The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the ngx_http_mp4_module module of NGINX Open Source and NGINX Plus. It allows an attacker to cause a buffer over-read or buffer over-write in the NGINX worker memory by using a specially crafted MP4 file. This can lead to the termination of the NGINX worker process or potentially allow the attacker to execute arbitrary code.

The vulnerability is exploitable only if NGINX is built with the ngx_http_mp4_module module and the mp4 directive is enabled in the configuration. Additionally, the attacker must be able to trigger the processing of a malicious MP4 file through this module.

Impact Analysis

This vulnerability can impact you by causing the NGINX worker process to crash, resulting in denial of service. More severely, it may allow an attacker to execute arbitrary code on the server, which could lead to full system compromise, data theft, or further attacks within your environment.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-32647. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-32647

Buffer Overflow in NGINX ngx_http_mp4_module Enables Code Execution

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart