CVE-2022-41741

Name of the Vulnerable Software and Affected Versions NGINX Open Source versions 1.23.2 and 1.22.1 and earlier NGINX Open Source Subscription versions R2 P1 and R1 P1 and earlier NGINX Plus versions R27 P1 and R26 P1 and earlier

Description The issue is related to a buffer-over-read vulnerability in the ngx http mp4 module of NGINX products. This vulnerability might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact, by using a specially crafted audio or video file. The attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the ngx http mp4 module, and the mp4 directive is used in the configuration file.

Recommendations For NGINX Open Source versions 1.23.2 and 1.22.1 and earlier, update to version 1.23.2 or 1.22.1 or later. For NGINX Open Source Subscription versions R2 P1 and R1 P1 and earlier, update to version R2 P1 or R1 P1 or later. For NGINX Plus versions R27 P1 and R26 P1 and earlier, update to version R27 P1 or R26 P1 or later. As a temporary workaround, consider disabling the ngx http mp4 module until a patch is available. Restrict access to the mp4 directive in the configuration file to minimize the risk of exploitation. Avoid using the ngx http mp4 module to process audio or video files until the issue is resolved.