F5 NGINX Flaw Allows Code Execution via Malicious MP4 Files

F5 has disclosed a high-severity vulnerability in NGINX that could allow attackers to execute arbitrary code or disrupt services by leveraging a specially crafted MP4 file.

The flaw, tracked as CVE-2026-32647, affects both NGINX Plus and NGINX Open Source deployments when the MP4 streaming module is enabled, raising concerns for organizations that rely on media streaming or video delivery through NGINX.

Vulnerability Overview

CVE-2026-32647 is classified as an out-of-bounds read issue (CWE-125), a type of memory handling flaw that occurs when software reads data outside the intended buffer boundaries.

The vulnerability has been assigned a CVSS v4.0 score of 8.5 and a CVSS v3.1 score of 7.8, indicating high severity.

The issue resides in the ngx_http_mp4_module, which is responsible for processing MP4 files for pseudo-streaming.

When a maliciously crafted MP4 file is processed by NGINX, it can trigger memory corruption in the worker process. This can result in a buffer over-read or overwrite condition, leading to instability in the service.

To exploit this flaw, an attacker must be able to upload or trigger the processing of a specially crafted MP4 file.

This typically requires local or authenticated access, such as through a content upload feature or media management interface.

Once processed, the malformed file can cause the NGINX worker process to crash and restart. This behavior can temporarily interrupt traffic, leading to a denial-of-service (DoS) condition.

In more advanced scenarios, attackers may be able to leverage the memory corruption to achieve remote code execution (RCE) on the host system, although this would depend on specific environmental conditions and exploit sophistication.

For example, a compromised media upload portal that allows users to submit video files could be abused to upload a malicious MP4.

When NGINX processes the file for streaming, the exploit triggers, causing repeated service crashes or potentially allowing deeper system compromise.

F5 confirmed that the vulnerability impacts multiple versions of NGINX:

• NGINX Plus versions R32 through R36 are affected. Fixed releases include R36 P3, R35 P2, and R32 P5.
• NGINX Open Source versions from 1.1.19 through 1.29.6 are vulnerable. The issue is resolved in versions 1.29.7 and 1.28.3.

Other F5 products, such as BIG-IP Next, BIG-IQ Centralized Management, F5OS, and Distributed Cloud Services, are not affected by this flaw.

Importantly, the MP4 module is not enabled by default in NGINX Open Source. Only systems where administrators have explicitly configured the mp4 directive are exposed.

Organizations are strongly advised to upgrade to the patched versions as soon as possible. Applying vendor-provided updates is the most effective way to eliminate the risk.

If immediate patching is not feasible, administrators can reduce exposure by limiting file upload capabilities to trusted users and validating all media inputs. Another effective workaround is to disable the MP4 module entirely.

This can be done by commenting out any MP4 directives in the NGINX configuration files, typically located in /etc/nginx.

After making changes, administrators should verify the configuration using the command sudo nginx −tsudo nginx -tsudo nginx −t and reload the service with sudo service nginx reloadsudo service nginx reloadsudo service nginx reload.

The vulnerability was responsibly disclosed by security researchers Xint Code and Pavel Kohout from Aisle Research.

Their findings highlight the ongoing risks associated with media parsing components and the importance of secure configuration practices in web server environments.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post F5 NGINX Flaw Allows Code Execution via Malicious MP4 Files appeared first on Cyber Security News.