{"id":"CVE-2022-41741","details":"NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.","aliases":["BIT-nginx-2022-41741","BIT-nginx-ingress-controller-2022-41741"],"modified":"2026-03-20T12:17:26.113996Z","published":"2022-10-19T22:15:12.647Z","related":["ALSA-2025:7402","CGA-hh4c-wwx4-cgjg","MGASA-2022-0398","SUSE-SU-2023:0205-1","SUSE-SU-2023:0210-1","SUSE-SU-2023:0212-1","SUSE-SU-2023:0293-1","openSUSE-SU-2024:12433-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/"},{"type":"ADVISORY","url":"https://support.f5.com/csp/article/K81926432"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5281"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230120-0005/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"0c54cce4e1317dc585c3ef722a7ff02cf9817747"},{"last_affected":"057157dcdd47fbb690498a0feada5f28758ab236"},{"introduced":"0"},{"last_affected":"2d2d0829a992c786a53c3bea6e804653ad2f5ba9"},{"introduced":"0"},{"last_affected":"25706769d6a5cd265ac5bdde7d6eb4606ab3d3d4"}],"database_specific":{"versions":[{"introduced":"1.1.3"},{"last_affected":"1.22.0"},{"introduced":"0"},{"last_affected":"1.23.0"},{"introduced":"0"},{"last_affected":"1.23.1"}]}},{"type":"GIT","repo":"https://github.com/nginxinc/kubernetes-ingress","events":[{"introduced":"8ffdeb3936dce69cdbcff022d22a5d6b63a536be"},{"last_affected":"addceb86fb4cfa225696a1f88f649d625e5e8857"},{"introduced":"98d94b0bf6918774007b3abcb0f318fa347cdcb2"},{"last_affected":"79566654d43c72bf3709db2ef0b60f4f928fadba"}],"database_specific":{"versions":[{"introduced":"1.9.0"},{"last_affected":"1.12.4"},{"introduced":"2.0.0"},{"last_affected":"2.4.0"}]}}],"versions":["release-1.1.10","release-1.1.11","release-1.1.12","release-1.1.13","release-1.1.14","release-1.1.15","release-1.1.16","release-1.1.17","release-1.1.18","release-1.1.19","release-1.1.3","release-1.1.4","release-1.1.5","release-1.1.6","release-1.1.7","release-1.1.8","release-1.1.9","release-1.11.0","release-1.11.1","release-1.11.10","release-1.11.11","release-1.11.12","release-1.11.13","release-1.11.2","release-1.11.3","release-1.11.4","release-1.11.5","release-1.11.6","release-1.11.7","release-1.11.8","release-1.11.9","release-1.13.0","release-1.13.1","release-1.13.10","release-1.13.11","release-1.13.12","release-1.13.2","release-1.13.3","release-1.13.4","release-1.13.5","release-1.13.6","release-1.13.7","release-1.13.8","release-1.13.9","release-1.15.0","release-1.15.1","release-1.15.10","release-1.15.11","release-1.15.12","release-1.15.2","release-1.15.3","release-1.15.4","release-1.15.5","release-1.15.6","release-1.15.7","release-1.15.8","release-1.15.9","release-1.17.0","release-1.17.1","release-1.17.10","release-1.17.2","release-1.17.3","release-1.17.4","release-1.17.5","release-1.17.6","release-1.17.7","release-1.17.8","release-1.17.9","release-1.19.0","release-1.19.1","release-1.19.10","release-1.19.2","release-1.19.3","release-1.19.4","release-1.19.5","release-1.19.6","release-1.19.7","release-1.19.8","release-1.19.9","release-1.2.0","release-1.21.0","release-1.21.1","release-1.21.2","release-1.21.3","release-1.21.4","release-1.21.5","release-1.21.6","release-1.22.0","release-1.23.0","release-1.3.0","release-1.3.1","release-1.3.10","release-1.3.11","release-1.3.12","release-1.3.13","release-1.3.14","release-1.3.15","release-1.3.16","release-1.3.2","release-1.3.3","release-1.3.4","release-1.3.5","release-1.3.6","release-1.3.7","release-1.3.8","release-1.3.9","release-1.4.0","release-1.5.0","release-1.5.1","release-1.5.10","release-1.5.11","release-1.5.12","release-1.5.13","release-1.5.2","release-1.5.3","release-1.5.4","release-1.5.5","release-1.5.6","release-1.5.7","release-1.5.8","release-1.5.9","release-1.7.0","release-1.7.1","release-1.7.10","release-1.7.11","release-1.7.12","release-1.7.2","release-1.7.3","release-1.7.4","release-1.7.5","release-1.7.6","release-1.7.7","release-1.7.8","release-1.7.9","release-1.9.0","release-1.9.1","release-1.9.10","release-1.9.11","release-1.9.12","release-1.9.13","release-1.9.14","release-1.9.15","release-1.9.2","release-1.9.3","release-1.9.4","release-1.9.5","release-1.9.6","release-1.9.7","release-1.9.8","release-1.9.9","v1.11.0","v1.11.1","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.9.0-nsmready","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.1.2","v2.2.0","v2.2.1","v2.2.2","v2.3.0","v2.3.1","v2.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41741.json","unresolved_ranges":[{"events":[{"introduced":"r22"},{"last_affected":"r27"}]},{"events":[{"introduced":"0"},{"last_affected":"r1"}]},{"events":[{"introduced":"0"},{"last_affected":"r2"}]},{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}