PatchSiren cyber security CVE debrief
CVE-2026-32647 F5 CVE debrief
CVE-2026-32647 is a high-severity vulnerability affecting NGINX Open Source and NGINX Plus. The vulnerability is located in the ngx_http_mp4_module module and can be exploited using a specially crafted MP4 file, potentially leading to buffer over-read or over-write, causing NGINX worker memory termination or code execution. The vulnerability has a CVSS score of 8.5 and is considered HIGH. This issue affects NGINX Open Source and NGINX Plus if built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. The attack is only possible if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.
- Vendor
- F5
- Product
- NGINX Open Source
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-06-30
Who should care
NGINX Open Source and NGINX Plus users who have built their installations with the ngx_http_mp4_module module and use the mp4 directive in their configuration files should be aware of this vulnerability. Additionally, security teams and administrators responsible for NGINX installations should prioritize patching or mitigating this vulnerability to prevent potential exploitation.
Technical summary
The ngx_http_mp4_module module in NGINX Open Source and NGINX Plus is vulnerable to a buffer over-read or over-write attack. This can occur when a specially crafted MP4 file is processed, potentially leading to NGINX worker memory termination or code execution. The vulnerability's CVSS vector is CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness associated with this vulnerability is CWE-125.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, especially for NGINX installations that use the ngx_http_mp4_module module and the mp4 directive. Immediate action is recommended to prevent potential exploitation.
Recommended defensive actions
- Review NGINX configurations to identify if the ngx_http_mp4_module module is in use and the mp4 directive is configured.
- Apply patches or updates provided by F5 for NGINX Open Source and NGINX Plus to address the vulnerability.
- Implement compensating controls, such as restricting access to NGINX configurations and monitoring for suspicious MP4 file processing.
- Consider disabling the ngx_http_mp4_module module if not required.
- Monitor NGINX logs and performance for signs of potential exploitation attempts.
Evidence notes
The CVE-2026-32647 vulnerability was published on March 24, 2026, and last modified on June 30, 2026. The vulnerability affects multiple versions of NGINX Open Source and NGINX Plus. CPE criteria include various versions of NGINX Plus (R32 to R36) and NGINX Open Source (from 1.1.19 to 1.28.3 and 1.29.0 to 1.29.7).
Official resources
-
CVE-2026-32647 CVE record
CVE.org
-
CVE-2026-32647 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.