CVE-2026-27784
Published: 24 March 2026
Summary
CVE-2026-27784 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in F5 Nginx Open Source. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying vendor-provided patches for CVE-2026-27784 directly remediates the integer overflow vulnerability in the 32-bit NGINX ngx_http_mp4_module.
Configuring NGINX without the mp4 directive or using 64-bit builds prevents activation and exploitation of the vulnerable ngx_http_mp4_module.
Memory protection mechanisms such as ASLR and DEP mitigate over-read or over-write attempts resulting from the integer overflow in NGINX worker processes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption (integer overflow) in NGINX worker enables exploitation for privilege escalation (T1068) and application DoS via crafted MP4 processing (T1499.004).
NVD Description
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects…
more
32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Deeper analysisAI
CVE-2026-27784 is a vulnerability in the 32-bit implementation of NGINX Open Source, specifically within the ngx_http_mp4_module module. It enables an attacker to over-read or over-write NGINX worker memory, potentially leading to worker process termination, by processing a specially crafted MP4 file. The issue affects only 32-bit NGINX Open Source builds that include the ngx_http_mp4_module and have the mp4 directive enabled in the configuration file. It is classified under CWE-190 (Integer Overflow or Wraparound) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker requires local access to the system (AV:L) with low privileges (PR:L) and can exploit the vulnerability with low complexity (AC:L) by triggering NGINX to process a maliciously crafted MP4 file via the affected module. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), including worker process crashes that disrupt service, as well as potential memory over-reads or over-writes.
For mitigation details, refer to the F5 advisory at https://my.f5.com/manage/s/article/K000160364. Note that software versions at End of Technical Support (EoTS) are not evaluated for patches.
Details
- CWE(s)