F5: F5 NGINX Plus and Open Source Vulnerability Allow Attackers to Execute Code Using MP4 file

High-Severity NGINX Vulnerability (CVE-2026-32647) Exposes Systems to DoS and RCE Risks

A critical vulnerability, CVE-2026-32647, has been disclosed in NGINX Open Source and NGINX Plus, carrying a CVSS v4.0 score of 8.5 and a CVSS v3.1 score of 7.8. The flaw, discovered by researchers Xint Code and Pavel Kohout of Aisle Research, enables local authenticated attackers to trigger a denial-of-service (DoS) condition or potentially execute arbitrary code on affected systems.

The vulnerability stems from an out-of-bounds read (CWE-125) in the ngx_http_mp4_module, a component used for MP4 file streaming. Exploitation occurs when NGINX processes a maliciously crafted MP4 file, leading to memory corruption in the worker process. This can crash the process, disrupting traffic until it restarts, or in a worst-case scenario allow remote code execution (RCE).

Affected Versions & Scope

NGINX Plus (R32–R36) – Patched in R36 P3, R35 P2, and R32 P5.
NGINX Open Source (1.1.19–1.29.6) – Fixed in 1.28.3 and 1.29.7.
Exposure Requirement: The system must have the ngx_http_mp4_module enabled (included by default in NGINX Plus but requires explicit compilation in Open Source).

Other F5 products, including BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud, are unaffected.

Mitigation & Patching

F5 has released patched versions for all vulnerable branches. Organizations unable to update immediately can disable the MP4 module by:

Commenting out the mp4 directive in NGINX configuration files.
Validating changes with sudo nginx -t before reloading the service.
Restricting media uploads to trusted users to prevent exploitation via malicious files.

The flaw is confined to the data plane, with no control-plane exposure, but its severity underscores the need for prompt remediation.

Source: https://cybersecuritynews.com/f5-nginx-plus-and-open-source-vulnerability/

F5 cybersecurity rating report: https://www.rankiteo.com/company/f5

"id": "F51774448674",
"linkid": "f5",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Organizations using NGINX Open '
                                              'Source (1.1.19–1.29.6) or NGINX '
                                              'Plus (R32–R36) with '
                                              'ngx_http_mp4_module enabled',
                        'industry': 'Technology/Cloud Services',
                        'name': 'NGINX (F5)',
                        'type': 'Software Vendor'}],
 'attack_vector': 'Maliciously crafted MP4 file',
 'data_breach': {'file_types_exposed': 'MP4 files'},
 'description': 'A critical vulnerability, CVE-2026-32647, has been disclosed '
                'in NGINX Open Source and NGINX Plus, enabling local '
                'authenticated attackers to trigger a denial-of-service (DoS) '
                'condition or potentially execute arbitrary code on affected '
                'systems. The flaw stems from an out-of-bounds read in the '
                'ngx_http_mp4_module, leading to memory corruption when '
                'processing maliciously crafted MP4 files.',
 'impact': {'downtime': 'Traffic disruption until worker process restarts',
            'operational_impact': 'Denial-of-service (DoS) or remote code '
                                  'execution (RCE)',
            'systems_affected': 'NGINX Open Source (1.1.19–1.29.6) and NGINX '
                                'Plus (R32–R36)'},
 'post_incident_analysis': {'corrective_actions': 'Patch vulnerable versions, '
                                                  'disable MP4 module if '
                                                  'necessary, and restrict '
                                                  'media uploads',
                            'root_causes': 'Out-of-bounds read (CWE-125) in '
                                           'ngx_http_mp4_module due to '
                                           'improper handling of maliciously '
                                           'crafted MP4 files'},
 'recommendations': '1. Apply patched versions immediately. 2. Disable the MP4 '
                    'module if updates cannot be applied. 3. Restrict media '
                    'uploads to trusted users. 4. Validate configuration '
                    'changes before reloading NGINX.',
 'references': [{'source': 'F5 Security Advisory'},
                {'source': 'Researchers Xint Code and Pavel Kohout (Aisle '
                           'Research)'}],
 'response': {'containment_measures': 'Disable the MP4 module by commenting '
                                      'out the `mp4` directive in NGINX '
                                      'configuration files',
              'recovery_measures': 'Validate configuration changes with `sudo '
                                   'nginx -t` and reload service',
              'remediation_measures': 'Apply patched versions (NGINX Open '
                                      'Source 1.28.3/1.29.7, NGINX Plus R36 '
                                      'P3/R35 P2/R32 P5)'},
 'title': 'High-Severity NGINX Vulnerability (CVE-2026-32647) Exposes Systems '
          'to DoS and RCE Risks',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-32647 (Out-of-bounds read in '
                            'ngx_http_mp4_module)'}

F5: F5 NGINX Plus and Open Source Vulnerability Allow Attackers to Execute Code Using MP4 file

Affected Versions & Scope

Mitigation & Patching

Fidelity Investments Life Insurance Company: Fidelity to settle data breach class action lawsuit for $2.5 million

Bubble.io: This popular app builder has been hijacked to steal Microsoft account details - here's what we know

IDrive: IDrive for Windows Vulnerability Allows Privilege Escalation Attacks