Bug 2449598 (CVE-2026-32647) - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files
Summary: CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via speciall...
Keywords:
Status: NEW
Alias: CVE-2026-32647
Deadline: 2026-03-24
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452220
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-20 11:58 UTC by OSIDB Bzimport
Modified: 2026-05-11 10:49 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:13634 0 None None None 2026-05-05 08:35:51 UTC
Red Hat Product Errata RHSA-2026:13680 0 None None None 2026-05-05 10:26:18 UTC
Red Hat Product Errata RHSA-2026:13839 0 None None None 2026-05-05 18:06:51 UTC
Red Hat Product Errata RHSA-2026:14836 0 None None None 2026-05-07 19:01:54 UTC
Red Hat Product Errata RHSA-2026:15942 0 None None None 2026-05-11 08:07:21 UTC
Red Hat Product Errata RHSA-2026:15943 0 None None None 2026-05-11 08:42:16 UTC
Red Hat Product Errata RHSA-2026:15945 0 None None None 2026-05-11 09:33:18 UTC
Red Hat Product Errata RHSA-2026:15966 0 None None None 2026-05-11 10:49:42 UTC
Red Hat Product Errata RHSA-2026:6906 0 None None None 2026-04-07 18:36:49 UTC
Red Hat Product Errata RHSA-2026:6907 0 None None None 2026-04-07 20:37:39 UTC
Red Hat Product Errata RHSA-2026:6923 0 None None None 2026-04-07 21:36:18 UTC
Red Hat Product Errata RHSA-2026:7002 0 None None None 2026-04-08 08:02:29 UTC
Red Hat Product Errata RHSA-2026:7343 0 None None None 2026-04-09 18:53:45 UTC

Description OSIDB Bzimport 2026-03-20 11:58:10 UTC 
Out-of-Bounds Read/Write vulnerability in the ngx_http_mp4_module of NGINX Open Source and NGINX Plus. The flaw is caused by improper handling of specially crafted MP4 files during processing. When such a file is parsed, it can trigger a buffer over-read or overwrite in worker memory, leading to process termination or undefined behavior. This vulnerability can be exploited by a local authenticated attacker capable of supplying a malicious MP4 file, potentially causing denial-of-service or achieving code execution under certain conditions.
Comment 2 errata-xmlrpc 2026-04-07 18:36:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:6906 https://access.redhat.com/errata/RHSA-2026:6906
Comment 3 errata-xmlrpc 2026-04-07 20:37:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:6907 https://access.redhat.com/errata/RHSA-2026:6907
Comment 4 errata-xmlrpc 2026-04-07 21:36:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:6923 https://access.redhat.com/errata/RHSA-2026:6923
Comment 5 errata-xmlrpc 2026-04-08 08:02:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7002 https://access.redhat.com/errata/RHSA-2026:7002
Comment 6 errata-xmlrpc 2026-04-09 18:53:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7343 https://access.redhat.com/errata/RHSA-2026:7343
Comment 11 errata-xmlrpc 2026-05-05 08:35:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:13634 https://access.redhat.com/errata/RHSA-2026:13634
Comment 12 errata-xmlrpc 2026-05-05 10:26:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:13680 https://access.redhat.com/errata/RHSA-2026:13680
Comment 13 errata-xmlrpc 2026-05-05 18:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:13839 https://access.redhat.com/errata/RHSA-2026:13839
Comment 14 errata-xmlrpc 2026-05-07 19:01:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:14836 https://access.redhat.com/errata/RHSA-2026:14836
Comment 15 errata-xmlrpc 2026-05-11 08:07:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:15942 https://access.redhat.com/errata/RHSA-2026:15942
Comment 16 errata-xmlrpc 2026-05-11 08:42:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:15943 https://access.redhat.com/errata/RHSA-2026:15943
Comment 17 errata-xmlrpc 2026-05-11 09:33:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:15945 https://access.redhat.com/errata/RHSA-2026:15945
Comment 18 errata-xmlrpc 2026-05-11 10:49:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:15966 https://access.redhat.com/errata/RHSA-2026:15966
Note You need to log in before you can comment on or make changes to this bug.