CVE-2026-32647 NGINX ngx_http_mp4_module vulnerability

🗓️ 24 Mar 2026 14:13:25Reported by f5Type

CVE-2026-32647 affects NGINX Open Source and Plus with ngx_http_mp4_module; a crafted MP4 file can trigger buffer over-read or over-write, risking worker termination or code execution.

Reporter	Title	Published	Views	Family All 185
ATTACKERKB	CVE-2026-32647	24 Mar 202614:13	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : nginx, nginx-all-modules, nginx-core (ALAS2023-2026-1540)	13 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nginx, --advisory ALAS2NGINX1-2026-011 (ALASNGINX1-2026-011)	14 Apr 202600:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0137: nginx (ALINUX3-SA-2026:0137)	29 May 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : nginx (ALSA-2026:6906)	10 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : nginx:1.24 (ALSA-2026:6907)	16 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : nginx:1.24 (ALSA-2026:6923)	10 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : nginx:1.26 (ALSA-2026:7343)	16 Apr 202600:00	–	nessus
Tenable Nessus	Debian dla-4589 : libnginx-mod-http-auth-pam - security update	18 May 202600:00	–	nessus
Tenable Nessus	Fedora 44 : nginx / nginx-mod-brotli / nginx-mod-fancyindex / etc (2026-4de4d247a0)	29 Apr 202600:00	–	nessus

[
  {
    "vendor": "F5",
    "product": "NGINX Open Source",
    "modules": [
      "ngx_http_mp4_module"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.29.0",
        "lessThan": "1.29.7",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "1.1.19",
        "lessThan": "1.28.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "F5",
    "product": "NGINX Plus",
    "modules": [
      "ngx_http_mp4_module"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "R36",
        "lessThan": "R36 P3",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "R35",
        "lessThan": "R35 P2",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "R34",
        "lessThan": "*",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "R33",
        "lessThan": "*",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "R32",
        "lessThan": "R32 P5",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
my	www.my.f5.com/manage/s/article/K000160366

24 Mar 2026 14:40Current

CVSS 3.17.8

CVSS 48.5

EPSS0.00026

CWE-125