Buffer Manipulation Vulnerability in NGINX Open Source and NGINX Plus
CVE-2026-32647
What is CVE-2026-32647?
CVE-2026-32647 is a buffer manipulation vulnerability found in both NGINX Open Source and NGINX Plus, two widely used web server solutions developed by F5. This vulnerability resides within the ngx_http_mp4_module, which facilitates the handling of MP4 video files. If exploited, an attacker can leverage a specially crafted MP4 file to achieve a buffer over-read or over-write, potentially leading to the termination of an NGINX worker process or even arbitrary code execution. Organizations that utilize NGINX for serving web content may face severe operational disruptions, data loss, or unauthorized access due to this vulnerability, especially if the MP4 module is employed in their server configurations.
Potential impact of CVE-2026-32647
-
Service Disruption: Exploiting this vulnerability may lead to the termination of NGINX worker processes, resulting in temporary or permanent unavailability of web services, which can significantly affect business operations and user experience.
-
Remote Code Execution: Successful exploitation could allow an attacker to execute arbitrary code on the affected server, leading to unauthorized system control, which may facilitate further attacks or data breaches.
-
Data Integrity Risks: Due to potential memory manipulation capabilities, there exists a risk of data corruption or unauthorized data access, which can compromise the integrity of sensitive information within the affected server environment.
Affected Version(s)
NGINX Open Source 1.29.0 < 1.29.7
NGINX Open Source 1.1.19 < 1.28.3
NGINX Plus R36
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved