F5 NGINX Plus and Open Source Vulnerability Allow Attackers to Execute Code Using MP4 file

A high-severity vulnerability has been disclosed affecting both NGINX Open Source and NGINX Plus. Tracked formally as CVE-2026-32647, this security flaw carries a CVSS v4.0 base score of 8.5 and a CVSS v3.1 score of 7.8.

It allows local, authenticated attackers to trigger a denial-of-service (DoS) condition or potentially execute arbitrary code on the underlying system.

The vulnerability exists entirely within the application’s data plane, so there is no control-plane exposure. F5 formally acknowledged researchers Xint Code and Pavel Kohout from Aisle Research for discovering and coordinating the disclosure of this vulnerability.

F5 NGINX Plus and Open Source Vulnerability

The core of this security issue stems from an out-of-bounds read vulnerability, classified under CWE-125. This memory corruption flaw is isolated within the ngx_http_mp4_module module.

Threat actors can exploit this weakness by forcing the NGINX server to process a specially crafted MP4 file.

When the NGINX worker process parses the malicious media file, it triggers a buffer overrun or underflow in the worker’s memory.

This memory manipulation immediately terminates the worker process, temporarily disrupting active network traffic while the system attempts to restart the process.

Beyond a simple denial-of-service, attackers could theoretically chain this memory corruption to achieve remote code execution on the host machine.

For a system to be vulnerable, the NGINX instance must be built with the ngx_http_mp4_module and actively use the mp4 directive within its configuration file. NGINX Plus includes this module automatically.

Conversely, NGINX Open Source administrators must have explicitly compiled and enabled the module to be at risk. F5 has released software updates to address this vulnerability across all impacted product branches.

Other F5 products, including BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud, remain completely unaffected by this flaw. NGINX Plus versions R32 through R36 are vulnerable, with fixes available in R36 P3, R35 P2, and R32 P5.

NGINX Open Source versions 1.1.19 through 1.29.6 are affected, with patches released in versions 1.28.3 and 1.29.7.

Mitigations

Security teams are strongly advised to update their NGINX deployments to the latest patched releases immediately.

If immediate patching falls outside your current maintenance window, F5 recommends applying configuration-based mitigations to secure your infrastructure.

Administrators can neutralize the threat by temporarily turning off the MP4 streaming module. This requires logging into the NGINX host system and editing the primary configuration files, typically located in the /etc/nginx directory.

Security engineers must locate all server and location blocks utilizing the mp4 directive and comment them out using a hash character.

After saving the modified configuration, administrators should validate the syntax using the sudo nginx -t command before gracefully reloading the service.

While this mitigation turns off server-side pseudo-streaming support for MP4 files, it effectively removes the attack vector. As an additional defense-in-depth measure, organizations should restrict the publishing of audio and video files to trusted users only.

Restricting media publishing rights prevents unauthorized actors from introducing the crafted MP4 payload into the server environment.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.