CVE-2026-32647 in NGINX Open Source
Summary
by MITRE • 03/24/2026
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2026
The vulnerability identified as CVE-2026-32647 resides within the ngx_http_mp4_module component of NGINX Open Source and NGINX Plus, representing a critical security flaw that could enable remote code execution or denial of service through improper memory handling during MP4 file processing. This vulnerability specifically impacts systems where the ngx_http_mp4_module is enabled and the mp4 directive is configured in the NGINX server configuration, making it particularly dangerous for media streaming servers, content delivery networks, and web applications that handle MP4 video files. The flaw manifests when NGINX processes specially crafted MP4 files that contain malformed or maliciously constructed data structures, leading to memory corruption that can result in unpredictable behavior including process termination or arbitrary code execution.
The technical nature of this vulnerability stems from inadequate input validation and memory management within the MP4 parsing logic of the ngx_http_mp4_module. When an attacker uploads or serves a malicious MP4 file that triggers the module's processing capabilities, the software fails to properly bounds-check memory allocations or validate the structure of the MP4 container format. This allows for buffer over-read or over-write conditions that can corrupt the memory space of the NGINX worker process, potentially enabling attackers to execute arbitrary code with the privileges of the NGINX process. The vulnerability is classified under CWE-121 as a stack-based buffer overflow and also relates to CWE-787 as an out-of-bounds write, both of which are fundamental memory safety issues that have been extensively documented in cybersecurity literature and are commonly exploited in advanced persistent threat campaigns.
From an operational perspective, this vulnerability presents significant risk to organizations relying on NGINX for media delivery services, as MP4 files are commonly used for video streaming and content distribution. The attack vector requires an attacker to successfully trigger the processing of a malicious MP4 file through the configured ngx_http_mp4_module, which means that the vulnerability is not automatically exploitable but requires specific conditions to be met. However, the potential impact is severe as successful exploitation could lead to complete system compromise, especially when combined with other vulnerabilities or when the NGINX process runs with elevated privileges. Organizations using NGINX for media processing must consider this vulnerability as a high-priority threat that could enable attackers to gain unauthorized access to their infrastructure, potentially leading to data breaches, service disruption, or further lateral movement within their network.
Mitigation strategies for CVE-2026-32647 should prioritize immediate patching of affected NGINX installations with the latest security updates from the vendor, as this represents the most effective defense against exploitation. Organizations should also consider implementing network-level controls such as content filtering and file type validation to prevent the processing of MP4 files from untrusted sources. The ATT&CK framework categorizes this vulnerability under T1059.007 for command and script interpreter execution and T1203 for exploitation for privilege escalation, indicating that successful exploitation could lead to broader system compromise. Additionally, system administrators should consider disabling the ngx_http_mp4_module entirely if MP4 processing is not required, or implementing strict access controls and monitoring for any MP4 file processing activities. Regular security assessments and penetration testing should be conducted to identify potential exposure points, and organizations should maintain detailed logs of all MP4 file processing activities for forensic analysis purposes. The vulnerability also highlights the importance of keeping all software components up-to-date and following secure coding practices that prevent buffer overflows and memory corruption issues in web server applications.