CVE-2026-32647 F5 — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	8.5 (HIGH)
Affected Versions	1.1.19 — 1.29.7
Fixed In	1.28.3
Type	CWE-125 (Out-of-bounds Read)
Vendor	F5
Public PoC	No

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-125 Out-of-bounds Read

Vulnerable Products 18

Configuration	From (including)	Up to (excluding)
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r32:p1::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r32:p2::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r32:p3::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r32:p4::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r33:::::::*	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r33:p1::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r33:p2::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r33:p3::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r34:::::::*	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r34:p1::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r34:p2::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r35:::::::*	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r35:p1::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r36:::::::*	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r36:p1::::::	—	—
F5 Nginx_Plus cpe:2.3:a:f5:nginx_plus:r36:p2::::::	—	—
F5 Nginx_Open_Source cpe:2.3:a:f5:nginx_open_source::::::::	`1.1.19`	`1.28.3`
F5 Nginx_Open_Source cpe:2.3:a:f5:nginx_open_source::::::::	`1.29.0`	`1.29.7`

References 1

https://my.f5.com/manage/s/article/K000160366

f5sirt@f5.com

Share Post Share Share Share

Related Vulnerabilities

Menu

CVE-2026-32647

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 18

References 1

Related Vulnerabilities

CVE-2026-28755

CVE-2026-28753

CVE-2026-27654

CVE-2025-53521

CVE-2025-1695

CVE Details

Editor's Choice

Menu

CVE-2026-32647

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 18

References 1

Related Vulnerabilities

CVE-2026-28755

CVE-2026-28753

CVE-2026-27654

CVE-2025-53521

CVE-2025-1695

CVE Details

Editor's Choice

Stay informed on cybersecurity