Memory Manipulation Vulnerability in NGINX Open Source by F5 Networks
CVE-2026-27784

8.5HIGH

Key Information:

Vendor: F5
Status: Nginx Open Source
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-27784?

A vulnerability exists in the 32-bit version of NGINX Open Source within the ngx_http_mp4_module. This flaw can allow an attacker to manipulate NGINX worker memory, leading to potential over-reads or overwrites. The issue arises when a specially crafted MP4 file is processed under configurations that utilize the mp4 directive. The vulnerability impacts systems built with this specific module, and an attacker must be able to trigger the processing event to exploit the flaw.

Affected Version(s)

NGINX Open Source 1.29.0 < 1.29.7

NGINX Open Source 1.1.19 < 1.28.3

References

https://my.f5.com/manage/s/article/K000160364

vendor-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

F5 acknowledges Prabhav Srinath (sprabhav7) for bringing this issue to our attention and following the highest standards of coordinated disclosure.

CVE-2026-27784 Data

JSON