Critical Vulnerability in NGINX Allows Code Execution via Malicious MP4 Files
A significant security flaw has been identified in both NGINX Open Source and NGINX Plus, potentially allowing attackers to execute arbitrary code through specially crafted MP4 files. This vulnerability, designated as CVE-2026-32647, has been assigned a CVSS v4.0 base score of 8.5 and a CVSS v3.1 score of 7.8, indicating a high severity level.
Understanding the Vulnerability
The root cause of this issue lies in an out-of-bounds read vulnerability within the `ngx_http_mp4_module` module of NGINX. This module is responsible for processing MP4 files to enable efficient streaming. When NGINX parses a maliciously crafted MP4 file, it can trigger memory corruption, leading to a denial-of-service (DoS) condition by terminating the worker process. In more severe cases, this flaw could be exploited to execute arbitrary code on the host system.
Affected Versions and Configurations
The vulnerability affects NGINX instances that have the `ngx_http_mp4_module` enabled. For NGINX Plus, this module is included by default, making versions R32 through R36 vulnerable. Patches have been released in versions R36 P3, R35 P2, and R32 P5. In the case of NGINX Open Source, the module must be explicitly compiled and enabled by administrators. Versions 1.1.19 through 1.29.6 are affected, with fixes available in versions 1.28.3 and 1.29.7.
Mitigation Strategies
Administrators are strongly advised to update their NGINX deployments to the latest patched versions to address this vulnerability. If immediate patching is not feasible, disabling the MP4 streaming module serves as a temporary mitigation. This involves editing the NGINX configuration files to comment out the `mp4` directive and reloading the service. Additionally, restricting the ability to upload media files to trusted users can further reduce the risk of exploitation.
Broader Implications
This vulnerability underscores the importance of diligent module management and the need for regular security assessments. Modules that are not essential should be disabled to minimize potential attack vectors. Organizations should also implement comprehensive monitoring to detect and respond to unusual activities promptly.
Conclusion
The discovery of CVE-2026-32647 highlights the critical need for proactive security measures in managing web server configurations. By promptly applying patches and adhering to best practices, organizations can protect their systems from potential exploits targeting this vulnerability.
