CVE-2026-32647 is a vulnerability classified under CWE-125 (Out-of-bounds Read) found in the ngx_http_mp4_module of F5's NGINX Open Source and NGINX Plus products. This module is responsible for handling MP4 streaming functionality. The flaw arises when the module processes a specially crafted MP4 file, leading to a buffer over-read or over-write in the memory space of the NGINX worker process. This memory corruption can cause the worker process to crash, resulting in denial of service, or potentially allow an attacker to execute arbitrary code within the context of the NGINX worker. The vulnerability is exploitable only if the ngx_http_mp4_module is compiled into NGINX and the mp4 directive is actively used in the server configuration, limiting the attack surface to deployments utilizing MP4 streaming features. The attack vector requires local access or the ability to cause NGINX to process the malicious MP4 file, which implies that remote exploitation is possible if the server accepts MP4 file uploads or requests that trigger the module. The CVSS v3.1 base score of 7.8 indicates a high severity, with attack vector local, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, and the vulnerability affects versions 1.29.0 and 1.1.19 of NGINX. End-of-support versions are not evaluated. The lack of patches linked suggests that fixes may be forthcoming or that users should monitor vendor advisories closely.

The vulnerability poses a significant risk to organizations using NGINX with the ngx_http_mp4_module enabled, particularly those streaming MP4 content. Successful exploitation can lead to denial of service through worker process crashes, disrupting web services and potentially causing downtime. More critically, the possibility of arbitrary code execution could allow attackers to escalate privileges, execute malicious payloads, or pivot within the network, compromising confidentiality and integrity of data. Given NGINX's widespread use as a web server and reverse proxy, especially in media streaming and content delivery environments, the impact could be substantial. Organizations relying on MP4 streaming may face service outages or breaches if attackers exploit this flaw. Although no known exploits are currently in the wild, the high CVSS score and potential for code execution warrant urgent attention. The requirement for local or controlled access to trigger the vulnerability somewhat limits remote exploitation but does not eliminate risk, especially in multi-tenant or cloud environments where attackers might upload malicious MP4 files. The vulnerability could also be leveraged in targeted attacks against high-value assets using NGINX for media delivery.

Organizations should first verify whether their NGINX deployments include the ngx_http_mp4_module and if the mp4 directive is enabled in their configurations. If so, they should prioritize updating to a patched version once released by F5 or NGINX. In the absence of immediate patches, mitigating controls include disabling the ngx_http_mp4_module or removing the mp4 directive if MP4 streaming is not essential. Implement strict input validation and filtering on MP4 file uploads or requests to prevent processing of malformed files. Employ network segmentation and access controls to restrict who can upload or trigger MP4 processing. Monitoring and logging of NGINX worker crashes or unusual behavior can provide early detection of exploitation attempts. Additionally, running NGINX with the least privileges necessary and using containerization or sandboxing can limit the impact of potential code execution. Regularly review vendor advisories for patches and apply them promptly. Finally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious MP4 payloads targeting this module.