{"id":"CVE-2026-32647","details":"NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.","aliases":["BIT-nginx-2026-32647","BIT-nginx-gateway-2026-32647"],"modified":"2026-06-18T04:13:14.935070088Z","published":"2026-03-24T15:16:34.667Z","related":["ALSA-2026:6906","ALSA-2026:6907","ALSA-2026:6923","ALSA-2026:7002","ALSA-2026:7343","SUSE-SU-2026:2050-1","SUSE-SU-2026:21832-1","SUSE-SU-2026:2370-1","openSUSE-SU-2026:10423-1","openSUSE-SU-2026:20796-1"],"database_specific":{"unresolved_ranges":[{"vendor_product":"f5:nginx_plus","cpes":["cpe:2.3:a:f5:nginx_plus:r32:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r32:p4:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r33:p3:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r34:p2:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r35:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:*:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p1:*:*:*:*:*:*","cpe:2.3:a:f5:nginx_plus:r36:p2:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"r32-p1"},{"last_affected":"r32-p2"},{"last_affected":"r32-p3"},{"last_affected":"r32-p4"},{"last_affected":"r33"},{"last_affected":"r33-p1"},{"last_affected":"r33-p2"},{"last_affected":"r33-p3"},{"last_affected":"r34"},{"last_affected":"r34-p1"},{"last_affected":"r34-p2"},{"last_affected":"r35"},{"last_affected":"r35-p1"},{"last_affected":"r36"},{"last_affected":"r36-p1"},{"last_affected":"r36-p2"}],"source":"CPE_STRING"}]},"references":[{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000160366"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nginx/nginx","events":[{"introduced":"40616fa048ea1245b076b9530547cdb097867814"},{"fixed":"9b958b000776c88036cd800c66e7e4ad39e6fd41"},{"introduced":"235f409907fd60eb2d8f6ecdc0e5cb163dd6d45f"},{"fixed":"5ac6f49371f9fcdf21ca4b4fd2a8657576f0885b"}],"database_specific":{"cpe":"cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.1.19"},{"fixed":"1.28.3"},{"introduced":"1.29.0"},{"fixed":"1.29.7"}],"source":"CPE_RANGE"}}],"versions":["release-1.28.2","release-1.29.6","release-1.29.5","release-1.28.1","release-1.28.0","release-1.29.4","release-1.29.3","release-1.29.2","release-1.29.1","release-1.29.0","release-1.27.5","release-1.27.4","release-1.27.3","release-1.27.2","release-1.27.1","release-1.27.0","release-1.25.5","release-1.25.4","release-1.25.3","release-1.25.2","release-1.25.1","release-1.25.0","release-1.23.4","release-1.23.3","release-1.23.2","release-1.23.1","release-1.23.0","release-1.21.6","release-1.21.5","release-1.21.4","release-1.21.3","release-1.21.2","release-1.21.1","release-1.21.0","release-1.19.10","release-1.19.9","release-1.19.8","release-1.19.7","release-1.19.6","release-1.19.5","release-1.19.4","release-1.19.3","release-1.19.2","release-1.19.1","release-1.19.0","release-1.17.10","release-1.17.9","release-1.17.8","release-1.17.7","release-1.17.6","release-1.17.5","release-1.17.4","release-1.17.3","release-1.17.2","release-1.17.1","release-1.17.0","release-1.15.12","release-1.15.11","release-1.15.10","release-1.15.9","release-1.15.8","release-1.15.7","release-1.15.6","release-1.15.5","release-1.15.4","release-1.15.3","release-1.15.2","release-1.15.1","release-1.15.0","release-1.13.12","release-1.13.11","release-1.13.10","release-1.13.9","release-1.13.8","release-1.13.7","release-1.13.6","release-1.13.5","release-1.13.4","release-1.13.3","release-1.13.2","release-1.13.1","release-1.13.0","release-1.11.13","release-1.11.12","release-1.11.11","release-1.11.10","release-1.11.9","release-1.11.8","release-1.11.7","release-1.11.6","release-1.11.5","release-1.11.4","release-1.11.3","release-1.11.2","release-1.11.1","release-1.11.0","release-1.9.15","release-1.9.14","release-1.9.13","release-1.9.12","release-1.9.11","release-1.9.10","release-1.9.9","release-1.9.8","release-1.9.7","release-1.9.6","release-1.9.5","release-1.9.4","release-1.9.3","release-1.9.2","release-1.9.1","release-1.9.0","release-1.7.12","release-1.7.11","release-1.7.10","release-1.7.9","release-1.7.8","release-1.7.7","release-1.7.6","release-1.7.5","release-1.7.4","release-1.7.3","release-1.7.2","release-1.7.1","release-1.7.0","release-1.5.13","release-1.5.12","release-1.5.11","release-1.5.10","release-1.5.9","release-1.5.8","release-1.5.7","release-1.5.6","release-1.5.5","release-1.5.4","release-1.5.3","release-1.5.2","release-1.5.1","release-1.5.0","release-1.4.0","release-1.3.16","release-1.3.15","release-1.3.14","release-1.3.13","release-1.3.12","release-1.3.11","release-1.3.10","release-1.3.9","release-1.3.8","release-1.3.7","release-1.3.6","release-1.3.5","release-1.3.4","release-1.3.3","release-1.3.2","release-1.3.1","release-1.3.0","release-1.2.0","release-1.1.19"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32647.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}