A newly discovered high-severity security vulnerability is impacting both NGINX Open Source and NGINX Plus platforms. This flaw, cataloged as CVE-2026-32647, has been assigned a CVSS v4.0 score of 8.5 and a CVSS v3.1 score of 7.8, highlighting its potential risk.
Vulnerability Overview
The vulnerability poses a threat by enabling local, authenticated attackers to induce a denial-of-service (DoS) state or execute arbitrary code on affected systems. Notably, this issue is confined to the application’s data plane, ensuring the control plane remains uncompromised. F5 has acknowledged security researchers Xint Code and Pavel Kohout of Aisle Research for their role in identifying and reporting this vulnerability.
Technical Details and Impact
The root cause lies in an out-of-bounds read vulnerability classified under CWE-125, specifically within the ngx_http_mp4_module module. By exploiting this flaw, attackers can coerce the NGINX server into processing a maliciously crafted MP4 file, which can lead to memory buffer overflows.
This memory mismanagement can result in the immediate termination of the worker process, thereby disrupting ongoing network operations until the process is restarted. More alarmingly, this memory corruption can potentially be leveraged to achieve remote code execution.
Mitigation Measures
For systems to be at risk, the NGINX setup must include the ngx_http_mp4_module and have the mp4 directive active in its configuration. While NGINX Plus incorporates this module by default, NGINX Open Source users must have manually enabled it.
F5 has released updates to rectify this vulnerability across affected versions. Specifically, NGINX Plus versions R32 through R36 and NGINX Open Source versions 1.1.19 through 1.29.6 are vulnerable, with patches available in newer releases.
Security teams are urged to promptly update to the latest versions. If immediate updates are not feasible, F5 suggests temporary configuration-based mitigations. This includes disabling the MP4 streaming feature by editing the NGINX configuration files found in the /etc/nginx directory, thereby neutralizing the threat vector.
Post-configuration, administrators should verify the syntax using sudo nginx -t before reloading the service to ensure security measures are in effect.
Limiting media upload privileges to trusted users is also recommended as a precautionary defense, preventing unauthorized exploitation through crafted MP4 files.
Stay informed with the latest cybersecurity updates by following us on Google News, LinkedIn, and X. For inquiries or to feature your cybersecurity story, please get in touch.
