PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32647 F5 CVE debrief

CVE-2026-32647 is a high-severity vulnerability affecting NGINX Open Source and NGINX Plus. The vulnerability is located in the ngx_http_mp4_module module and can be exploited using a specially crafted MP4 file, potentially leading to buffer over-read or over-write, causing NGINX worker memory termination or code execution. The vulnerability has a CVSS score of 8.5 and is considered HIGH. This issue affects NGINX Open Source and NGINX Plus if built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. The attack is only possible if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Vendor
F5
Product
NGINX Open Source
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-06-30
Advisory published
2026-03-24
Advisory updated
2026-06-30

Who should care

NGINX Open Source and NGINX Plus users who have built their installations with the ngx_http_mp4_module module and use the mp4 directive in their configuration files should be aware of this vulnerability. Additionally, security teams and administrators responsible for NGINX installations should prioritize patching or mitigating this vulnerability to prevent potential exploitation.

Technical summary

The ngx_http_mp4_module module in NGINX Open Source and NGINX Plus is vulnerable to a buffer over-read or over-write attack. This can occur when a specially crafted MP4 file is processed, potentially leading to NGINX worker memory termination or code execution. The vulnerability's CVSS vector is CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness associated with this vulnerability is CWE-125.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, especially for NGINX installations that use the ngx_http_mp4_module module and the mp4 directive. Immediate action is recommended to prevent potential exploitation.

Recommended defensive actions

  • Review NGINX configurations to identify if the ngx_http_mp4_module module is in use and the mp4 directive is configured.
  • Apply patches or updates provided by F5 for NGINX Open Source and NGINX Plus to address the vulnerability.
  • Implement compensating controls, such as restricting access to NGINX configurations and monitoring for suspicious MP4 file processing.
  • Consider disabling the ngx_http_mp4_module module if not required.
  • Monitor NGINX logs and performance for signs of potential exploitation attempts.

Evidence notes

The CVE-2026-32647 vulnerability was published on March 24, 2026, and last modified on June 30, 2026. The vulnerability affects multiple versions of NGINX Open Source and NGINX Plus. CPE criteria include various versions of NGINX Plus (R32 to R36) and NGINX Open Source (from 1.1.19 to 1.28.3 and 1.29.0 to 1.29.7).

Official resources

This article is AI-assisted and based on the supplied source corpus.