CVE-2026-32647 Overview
CVE-2026-32647 is a memory corruption vulnerability affecting the ngx_http_mp4_module module in both NGINX Open Source and NGINX Plus. This vulnerability allows an attacker to trigger a buffer over-read or over-write to NGINX worker memory through a specially crafted MP4 file. Successful exploitation can result in termination of the NGINX worker process or potentially enable arbitrary code execution.
The vulnerability is exploitable when NGINX is built with the ngx_http_mp4_module module and the mp4 directive is configured in the NGINX configuration file. An attacker must be able to trigger processing of a malicious MP4 file through the vulnerable module for the attack to succeed.
Critical Impact
Exploitation of this vulnerability can lead to denial of service through NGINX worker termination or potentially arbitrary code execution, compromising web server integrity and availability.
Affected Products
- F5 NGINX Plus (versions R32-P1 through R36-P2)
- F5 NGINX Open Source (multiple versions with ngx_http_mp4_module enabled)
- Any NGINX deployment using the mp4 directive in configuration
Discovery Timeline
- 2026-03-24 - CVE-2026-32647 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-32647
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), indicating that the ngx_http_mp4_module module fails to properly validate boundaries when parsing MP4 file structures. The module processes MP4 file atoms (the structural components of MP4 containers) and under specific conditions, can read or write beyond allocated buffer boundaries in worker process memory.
The local attack vector requires that the attacker can submit or influence MP4 files processed by the vulnerable NGINX configuration. This could occur through file upload functionality, media streaming endpoints, or any feature that allows the ngx_http_mp4_module to process user-supplied content.
Successful exploitation does not require elevated privileges, making this vulnerability accessible to standard authenticated users or even unauthenticated users depending on the server configuration.
Root Cause
The root cause lies in improper bounds checking within the ngx_http_mp4_module when parsing MP4 file metadata structures. MP4 files use a hierarchical atom-based format where each atom contains size and type information. When processing these atoms, the module fails to adequately validate that buffer operations remain within allocated memory regions.
Specifically, malformed atom size declarations or nested atom structures can cause the parsing logic to calculate incorrect buffer offsets, leading to out-of-bounds memory access operations in the NGINX worker process.
Attack Vector
The attack requires local access to submit or upload MP4 files to a vulnerable NGINX server. The attacker crafts a specially malformed MP4 file with manipulated atom structures designed to trigger the boundary validation failure. When NGINX processes this file through the ngx_http_mp4_module, the malicious metadata causes buffer over-read or over-write operations.
The attack chain typically involves:
- Identifying an NGINX server with ngx_http_mp4_module enabled and mp4 directive configured
- Crafting an MP4 file with malformed atom structures targeting the parsing vulnerability
- Uploading or serving the malicious file to trigger processing
- Exploiting the memory corruption for denial of service or code execution
The vulnerability mechanism involves improper validation of MP4 atom sizes and offsets within the ngx_http_mp4_module parsing routines. When a specially crafted MP4 file contains malformed atom metadata, the module calculates incorrect buffer boundaries, leading to out-of-bounds memory operations. For detailed technical information, refer to the F5 Security Advisory.
Detection Methods for CVE-2026-32647
Indicators of Compromise
- Unexpected NGINX worker process crashes or restarts, particularly when processing MP4 content
- Segmentation faults or memory access violations in NGINX error logs
- Abnormal memory consumption patterns in NGINX worker processes
- Suspicious MP4 file uploads with unusual metadata structures
Detection Strategies
- Monitor NGINX error logs for segmentation faults, memory corruption errors, or unexpected worker terminations
- Implement file integrity monitoring on MP4 upload directories to detect anomalous file characteristics
- Deploy network-based detection rules to identify malformed MP4 files targeting known atom structure vulnerabilities
- Use web application firewalls (WAF) with content inspection capabilities for uploaded media files
Monitoring Recommendations
- Enable detailed NGINX error logging and configure centralized log collection for correlation analysis
- Set up alerts for NGINX worker process crashes or unexpected restarts in your monitoring infrastructure
- Monitor system-level events for segmentation faults associated with NGINX processes
- Implement rate limiting and anomaly detection for MP4 file upload endpoints
How to Mitigate CVE-2026-32647
Immediate Actions Required
- Review NGINX configurations to identify deployments using the ngx_http_mp4_module with the mp4 directive
- Apply the latest security patches from F5 for NGINX Open Source and NGINX Plus
- Consider temporarily disabling the ngx_http_mp4_module if MP4 streaming functionality is not critical
- Implement strict file validation for any MP4 upload functionality
Patch Information
F5 has released security updates to address this vulnerability. Organizations should consult the F5 Security Advisory K000160366 for specific patched versions and upgrade instructions. Ensure all NGINX Open Source and NGINX Plus installations are updated to versions that include the security fix.
For NGINX Plus, affected versions include R32-P1 through R36-P2. Upgrade to the latest available release that addresses CVE-2026-32647.
Workarounds
- Disable the ngx_http_mp4_module by removing or commenting out the mp4 directive in NGINX configuration files
- Implement upstream content validation to reject MP4 files before they reach NGINX processing
- Use a reverse proxy or WAF to filter and validate MP4 files before they are processed by vulnerable NGINX instances
- Restrict access to MP4 upload or streaming endpoints to trusted users only
# Disable mp4 module in NGINX configuration
# Comment out or remove mp4 directive in location blocks
# Before (vulnerable):
# location /video/ {
# mp4;
# }
# After (mitigated):
location /video/ {
# mp4 directive disabled pending security patch
# mp4;
}
# Reload NGINX configuration
nginx -t && nginx -s reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
