CVE-2026-32647

Name of the Vulnerable Software and Affected Versions NGINX Open Source and NGINX Plus (affected versions not specified)

Description A flaw exists in the ngx http mp4 module module that could allow an attacker to cause a buffer over-read or over-write to NGINX worker memory. This can lead to NGINX termination or potentially code execution. The issue occurs when processing a specially crafted MP4 file, and requires the ngx http mp4 module to be built with the mp4 directive enabled in the configuration file. The attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx http mp4 module.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.