Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-32647

Опубликовано: 24 мар. 2026
Источник: nvd
CVSS3: 7.8
EPSS Низкий

Описание

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*
cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
Версия от 1.1.19 (включая) до 1.28.3 (исключая)
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
Версия от 1.29.0 (включая) до 1.29.7 (исключая)

EPSS

Процентиль: 2%
0.00013
Низкий

7.8 High

CVSS3

Дефекты

CWE-125

Связанные уязвимости

redhat логотип

CVE-2026-32647

CVSS3: 7.8
redhat
около 1 месяца назад

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

msrc логотип

CVE-2026-32647

CVSS3: 7.8
msrc
около 1 месяца назад

NGINX ngx_http_mp4_module vulnerability

debian логотип

CVE-2026-32647

CVSS3: 7.8
debian
около 1 месяца назад

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_ ...

github логотип

GHSA-6364-x4qj-7w59

CVSS3: 7.8
github
около 1 месяца назад

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

fstec логотип

BDU:2026-04819

CVSS3: 7.8
fstec
около 1 месяца назад

Уязвимость модуля ngx_http_mp4_module HTTP-сервера NGINX Plus и NGINX Open Source, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код

EPSS

Процентиль: 2%
0.00013
Низкий

7.8 High

CVSS3

Дефекты

CWE-125