Platform
nginx
Component
nginx
Fixed in
1.29.7
1.28.3
CVE-2026-27784 describes a memory corruption vulnerability in Nginx Open Source. An attacker can exploit this flaw by providing a specially crafted MP4 file, potentially causing Nginx worker processes to terminate. This vulnerability affects versions 1.1.19 through 1.29.7 of Nginx Open Source built with the ngxhttpmp4_module and using the mp4 directive. A fix is available in version 1.29.7.
Successful exploitation of CVE-2026-27784 allows an attacker to trigger a denial-of-service (DoS) condition by causing Nginx worker processes to crash. The vulnerability stems from an issue in the 32-bit implementation of the ngxhttpmp4_module module. The crafted MP4 file exploits a flaw in how Nginx handles the file, leading to memory over-read or over-write. This is particularly concerning for environments heavily reliant on Nginx for serving media content, as a malicious MP4 file could disrupt service availability. The attack requires the attacker to be able to trigger the processing of the crafted MP4 file by Nginx.
CVE-2026-27784 was publicly disclosed on 2026-03-24. There is no indication of active exploitation campaigns at this time. The vulnerability is limited to 32-bit Nginx installations with the ngxhttpmp4_module enabled and the mp4 directive configured, which reduces the potential attack surface. It is not currently listed on CISA KEV. Public proof-of-concept exploits are not yet available.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27784 is to upgrade Nginx Open Source to version 1.29.7 or later. If upgrading is not immediately feasible, consider disabling the ngxhttpmp4_module module by removing it from the Nginx configuration file. This will prevent the processing of MP4 files by the vulnerable module. Additionally, implement strict input validation for MP4 files served by Nginx to prevent the upload or processing of potentially malicious files. Monitor Nginx error logs for unusual crashes or memory-related errors that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to serve a known-good MP4 file and verifying that Nginx processes it without errors.
Update NGINX Open Source to version 1.29.7 or later, or to version 1.28.3 or later, depending on your version branch. This will fix the vulnerability in the ngx_http_mp4_module module. If you cannot update, avoid using the mp4 directive in your configuration file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27784 is a HIGH severity vulnerability affecting Nginx Open Source versions 1.1.19–1.29.7 where a crafted MP4 file can cause memory corruption and potential Nginx worker termination.
You are affected if you are running Nginx Open Source versions 1.1.19 through 1.29.7, are using a 32-bit architecture, have the ngxhttpmp4_module enabled, and are using the mp4 directive in your configuration.
Upgrade to Nginx Open Source version 1.29.7 or later. Alternatively, disable the ngxhttpmp4_module module in your configuration.
There is currently no indication of active exploitation campaigns for CVE-2026-27784.
Refer to the official Nginx security advisory for CVE-2026-27784 at [https://nginx.org/security/advisories/](https://nginx.org/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.