CVE-2026-32647 is a vulnerability classified as CWE-125 (Out-of-bounds Read) found in the ngx_http_mp4_module of F5's NGINX Open Source and NGINX Plus products. The vulnerability arises when the module processes specially crafted MP4 files, leading to a buffer over-read or over-write in the memory of the NGINX worker process. This can cause the worker process to crash, resulting in denial of service, or potentially allow an attacker to execute arbitrary code within the context of the worker process. The vulnerability affects versions 1.29.0 and 1.1.19 of NGINX if they are built with the ngx_http_mp4_module and the mp4 directive is enabled in the configuration. Exploitation requires the attacker to have local or network access sufficient to trigger the processing of a malicious MP4 file by the vulnerable module. No user interaction is required, and the attack complexity is low with low privileges needed. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, but the vulnerability poses a significant risk to services relying on the mp4 module for media streaming or delivery. End-of-Technical-Support versions are not evaluated, so only supported versions are considered vulnerable. The vulnerability highlights the risk of media processing modules in web servers and the importance of careful input validation and memory management.

The vulnerability can lead to several severe impacts for organizations worldwide. Primarily, it can cause denial of service by crashing NGINX worker processes, disrupting web services and media streaming capabilities. More critically, it may allow remote code execution, enabling attackers to gain control over the affected server, potentially leading to data breaches, lateral movement within networks, and persistent access. Confidentiality, integrity, and availability of services are all at risk. Organizations that rely on NGINX for delivering MP4 content are particularly vulnerable, including media companies, content delivery networks, and enterprises hosting video content. The disruption or compromise of these services can result in financial loss, reputational damage, and regulatory penalties. Given the widespread use of NGINX globally, the scope of affected systems is substantial, especially where the mp4 module is enabled. The requirement for low privileges and no user interaction lowers the barrier for exploitation, increasing the threat level.

To mitigate this vulnerability, organizations should first identify if their NGINX deployments use the ngx_http_mp4_module and have the mp4 directive enabled. If so, they should upgrade to a patched version of NGINX as soon as a fix is released by F5. Until patches are available, organizations can consider disabling the mp4 module or the mp4 directive in the configuration to prevent processing of MP4 files via this module. Additionally, implementing strict access controls to limit who can upload or trigger processing of MP4 files reduces exposure. Monitoring logs for unusual MP4 file processing or worker crashes can help detect exploitation attempts. Employing web application firewalls (WAFs) with rules to block malformed MP4 payloads may provide temporary protection. Network segmentation and limiting exposure of NGINX servers to untrusted networks further reduce risk. Regularly reviewing and updating media processing components and applying security best practices for memory safety are also recommended.