Critical F5 NGINX Vulnerability Lets Attackers Execute Code via MP4 Files
Key Takeaways A critical vulnerability, CVE-2026-32647, affects both NGINX Open Source and NGINX Plus, potentially allowing remote code execution or denial-of-service. The flaw resides in the...
Key Takeaways
- A critical vulnerability, CVE-2026-32647, affects both NGINX Open Source and NGINX Plus, potentially allowing remote code execution or denial-of-service.
- The flaw resides in the
ngx_http_mp4_module, exploitable via specially crafted MP4 files. - Impacted versions range from NGINX Plus R32-R36 and NGINX Open Source 1.1.19-1.29.6.
- F5 has released patches, and immediate updates are strongly recommended.
A significant security flaw has been identified in F5’s NGINX Open Source and NGINX Plus web servers, posing a risk of denial-of-service (DoS) or arbitrary code execution. Cataloged as CVE-2026-32647, this vulnerability carries a high CVSS v4.0 base score of 8.5 and a CVSS v3.1 score of 7.8.
Table Of Content
The vulnerability enables authenticated local attackers to disrupt services or potentially execute malicious code on the compromised system. F5 has confirmed that the issue is confined to the application’s data plane, with no exposure in the control plane. Credit for discovering and responsibly disclosing this flaw goes to researchers Xint Code and Pavel Kohout from Aisle Research.
F5 NGINX Plus and Open Source Vulnerability Details
The root cause of this security vulnerability is an out-of-bounds read error, categorized under CWE-125. This memory corruption bug is specifically located within the ngx_http_mp4_module. Attackers can leverage this weakness by tricking the NGINX server into processing a maliciously crafted MP4 file.
Upon parsing the malformed media file, the NGINX worker process experiences a buffer overflow or underflow in its memory. This memory manipulation leads to the immediate termination of the worker process, causing a temporary disruption of active network traffic while the system attempts to restart the process. Beyond merely causing a denial-of-service, this memory corruption could theoretically be chained by attackers to achieve remote code execution on the underlying host machine.
For an NGINX instance to be susceptible, it must have been built with the ngx_http_mp4_module and actively use the mp4 directive within its configuration. NGINX Plus includes this module by default. Conversely, NGINX Open Source users are only at risk if they explicitly compiled and enabled the module. F5 has since released software updates to address this vulnerability across all affected product lines.
Other F5 products, including BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud, are not impacted by this vulnerability. NGINX Plus versions R32 through R36 are affected, with fixes available in R36 P3, R35 P2, and R32 P5. NGINX Open Source versions 1.1.19 through 1.29.6 are vulnerable, with patches released in versions 1.28.3 and 1.29.7.
What You Should Do
- Update Immediately: Apply the latest patched releases for NGINX Plus (R36 P3, R35 P2, R32 P5) or NGINX Open Source (1.28.3, 1.29.7) as soon as possible.
- Implement Configuration Mitigations: If immediate patching is not feasible, follow F5’s recommended configuration-based mitigations. This involves editing NGINX configuration files (typically in
/etc/nginx) to comment out all server and location blocks that utilize themp4directive. - Validate and Reload: After modifying the configuration, validate the syntax using
sudo nginx -tand then gracefully reload the NGINX service. - Restrict Media Publishing: As a defense-in-depth measure, limit the ability to publish audio and video files to trusted users only to prevent unauthorized actors from introducing malicious MP4 payloads.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.