CVE-2026-32647

High

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32647 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in F5 Nginx Plus. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the buffer over-read/write vulnerability in NGINX's ngx_http_mp4_module by requiring timely installation of vendor patches.

CM-7 Least Functionality good match

prevent

Enforces least functionality by disabling the unnecessary mp4 directive and ngx_http_mp4_module if not required, preventing processing of malicious MP4 files.

SI-16 Memory Protection good match

prevent

Implements memory protections such as address space layout randomization and stack guards to mitigate buffer over-read or over-write exploits in NGINX worker processes.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local memory corruption (OOB read/write) in NGINX worker with low privileges directly enables code execution or process termination, mapping to exploitation for privilege escalation (and secondarily service DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a…

specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Deeper analysisAI

CVE-2026-32647 is a vulnerability (CWE-125: Out-of-bounds Read) in the ngx_http_mp4_module of NGINX Open Source and NGINX Plus. It enables a buffer over-read or over-write in NGINX worker memory via a specially crafted MP4 file, potentially resulting in worker process termination or code execution. The flaw affects NGINX Open Source and NGINX Plus instances that are built with the ngx_http_mp4_module and have the mp4 directive enabled in the configuration file.

Exploitation requires local access (AV:L), low complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N) and no scope change (S:U). An attacker who can trigger processing of the malicious MP4 file by the ngx_http_mp4_module could achieve high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 7.8.

The F5 security advisory at https://my.f5.com/manage/s/article/K000160366 provides further details on the issue. Note that software versions which have reached End of Technical Support (EoTS) are not evaluated.