F5 warns NGINX MP4 flaw could crash workers and may lead to code execution

F5 has disclosed a high-severity vulnerability in both NGINX Open Source and NGINX Plus that can let an attacker crash NGINX worker processes with a specially crafted MP4 file. In some cases, the flaw could also open the door to code execution, according to the vendor and the National Vulnerability Database.

The bug is tracked as CVE-2026-32647. NVD lists it with a CVSS v4.0 score of 8.5 and a CVSS v3.1 score of 7.8. The issue sits in the ngx_http_mp4_module, and it affects deployments only when that module is present and the mp4 directive is in use.

This matters because many admins use NGINX to handle media delivery and pseudo-streaming. If an attacker can get a malicious MP4 processed by the vulnerable module, the worker may hit a buffer over-read or over-write condition, terminate, and possibly expose a path to arbitrary code execution on the host.

F5 says the issue lives in the data plane, not the control plane. NGINX Plus ships with the MP4 module included, while NGINX Open Source users face risk only if they built with ngx_http_mp4_module and enabled the related configuration.

What the flaw does

The vulnerability centers on how NGINX parses certain MP4 files inside ngx_http_mp4_module. NVD says a specially crafted file can trigger memory errors in the worker process, leading to termination or possible code execution. NVD also classifies the weakness under CWE-125.

In practical terms, the first impact is likely service disruption. A worker crash can interrupt active traffic until NGINX respawns the process. For internet-facing media services, that can still create serious operational pain even when attackers do not achieve deeper system access.

Who is affected

NGINX’s security advisory page says CVE-2026-32647 affects NGINX Open Source versions 1.1.19 through 1.29.6. Versions 1.29.7 and 1.28.3 and later fixed branches are listed as not vulnerable.

For NGINX Plus, the exposed branches include R32 through R36, based on F5’s advisory references and version guidance cited by NVD and NGINX’s security page. Patched releases include R36 P3, R35 P2, and R32 P5, according to the vendor-linked advisory trail.

F5’s release documentation also notes that security updates generally apply to the most recent supported NGINX Plus releases, and it recommends running the latest version in production.

Affected products at a glance

The NGINX security page also shows another MP4-module issue, CVE-2026-27784, disclosed alongside this one, with the same vulnerable and fixed Open Source version ranges. That makes patching even more urgent for teams that rely on MP4 handling.

How to reduce risk right now

The cleanest fix is to update to a patched release. That removes the vulnerable code path and closes the issue at the source.

If you cannot patch immediately, you should disable MP4 processing where possible. The flaw requires both the module and the mp4 directive, so removing that directive from active configs cuts off the attack path described in the advisory.

You should also limit who can upload or publish media on affected systems. The bug only becomes exploitable if an attacker can make NGINX process a crafted MP4, so tighter publishing controls reduce exposure. That does not replace patching, but it helps lower risk during a maintenance delay.

Immediate actions

• Update NGINX Open Source to 1.29.7 or 1.28.3 and later supported builds.
• Update NGINX Plus to the latest patched branch available for your deployment.
• Search configs for the mp4 directive and disable it if you do not need MP4 pseudo-streaming.
• Restrict media upload and publishing rights to trusted users only.
• Review internet-facing media endpoints first, since they carry the highest exposure.

FAQ