Zero Day MonitorZDM

← Back to list

7.8

CVE-2026-32647PATCHED

f5 · nginx_plus

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting

Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Products

Vendor	Product	Versions
f5	nginx_plus	< 1.28.3, < 1.29.7

References

https://my.f5.com/manage/s/article/K000160366(Vendor Advisory)

Related News (2 articles)

Tier B

CERT-FR11d ago

Multiples vulnérabilités dans les produits Microsoft (30 mars 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC14d ago

CVE-2026-32647 NGINX ngx_http_mp4_module vulnerability

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.28.31.29.7

CWECWE-125

PublishedMar 24, 2026

Last enriched8d ago

Trending Score10

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Denial of Service Vulnerability in NGINX

Multiple Vulnerabilities in NGINX and NGINX Plus Allow Denial of Service, Data Manipulation, Security Bypass, and Potential Arbitrary Code Execution

HIGHCVE-2026-27651

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP au

HIGHCVE-2026-27784

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its term

HIGHCVE-2026-27654

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may re

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 24, 2026

Patch Available

Mar 26, 2026

Discovered by ZDM

Apr 1, 2026