OPENSUSE-SU-2026:10423-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10423-1

Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00

Summary

nginx-1.29.7-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: nginx-1.29.7-1.1 on GA media

Description of the patch: These are all security issues fixed in the nginx-1.29.7-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10423

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-27651

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27654

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27784

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-28753

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-28755

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32647

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-27651/	self
	https://www.suse.com/security/cve/CVE-2026-27654/	self
	https://www.suse.com/security/cve/CVE-2026-27784/	self
	https://www.suse.com/security/cve/CVE-2026-28753/	self
	https://www.suse.com/security/cve/CVE-2026-28755/	self
	https://www.suse.com/security/cve/CVE-2026-32647/	self
	https://www.suse.com/security/cve/CVE-2026-27651	external
	https://bugzilla.suse.com/1260415	external
	https://www.suse.com/security/cve/CVE-2026-27654	external
	https://bugzilla.suse.com/1260416	external
	https://www.suse.com/security/cve/CVE-2026-27784	external
	https://bugzilla.suse.com/1260417	external
	https://www.suse.com/security/cve/CVE-2026-28753	external
	https://bugzilla.suse.com/1260418	external
	https://www.suse.com/security/cve/CVE-2026-28755	external
	https://bugzilla.suse.com/1260419	external
	https://www.suse.com/security/cve/CVE-2026-32647	external
	https://bugzilla.suse.com/1260420	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "nginx-1.29.7-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the nginx-1.29.7-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10423",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10423-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27651 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27651/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27654 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27654/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27784 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27784/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-28753 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-28753/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-28755 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-28755/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32647 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32647/"
      }
    ],
    "title": "nginx-1.29.7-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-25T00:00:00Z",
      "generator": {
        "date": "2026-03-25T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10423-1",
      "initial_release_date": "2026-03-25T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-25T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.29.7-1.1.aarch64",
                "product": {
                  "name": "nginx-1.29.7-1.1.aarch64",
                  "product_id": "nginx-1.29.7-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.29.7-1.1.aarch64",
                "product": {
                  "name": "nginx-source-1.29.7-1.1.aarch64",
                  "product_id": "nginx-source-1.29.7-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.29.7-1.1.ppc64le",
                "product": {
                  "name": "nginx-1.29.7-1.1.ppc64le",
                  "product_id": "nginx-1.29.7-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.29.7-1.1.ppc64le",
                "product": {
                  "name": "nginx-source-1.29.7-1.1.ppc64le",
                  "product_id": "nginx-source-1.29.7-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.29.7-1.1.s390x",
                "product": {
                  "name": "nginx-1.29.7-1.1.s390x",
                  "product_id": "nginx-1.29.7-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.29.7-1.1.s390x",
                "product": {
                  "name": "nginx-source-1.29.7-1.1.s390x",
                  "product_id": "nginx-source-1.29.7-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "nginx-1.29.7-1.1.x86_64",
                "product": {
                  "name": "nginx-1.29.7-1.1.x86_64",
                  "product_id": "nginx-1.29.7-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "nginx-source-1.29.7-1.1.x86_64",
                "product": {
                  "name": "nginx-source-1.29.7-1.1.x86_64",
                  "product_id": "nginx-source-1.29.7-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.29.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64"
        },
        "product_reference": "nginx-1.29.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.29.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le"
        },
        "product_reference": "nginx-1.29.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.29.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x"
        },
        "product_reference": "nginx-1.29.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-1.29.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64"
        },
        "product_reference": "nginx-1.29.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.29.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64"
        },
        "product_reference": "nginx-source-1.29.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.29.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le"
        },
        "product_reference": "nginx-source-1.29.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.29.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x"
        },
        "product_reference": "nginx-source-1.29.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "nginx-source-1.29.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        },
        "product_reference": "nginx-source-1.29.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27651",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27651"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When the ngx_mail_auth_http_module  module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27651",
          "url": "https://www.suse.com/security/cve/CVE-2026-27651"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260415 for CVE-2026-27651",
          "url": "https://bugzilla.suse.com/1260415"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-27651"
    },
    {
      "cve": "CVE-2026-27654",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27654"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27654",
          "url": "https://www.suse.com/security/cve/CVE-2026-27654"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260416 for CVE-2026-27654",
          "url": "https://bugzilla.suse.com/1260416"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-27654"
    },
    {
      "cve": "CVE-2026-27784",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27784"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27784",
          "url": "https://www.suse.com/security/cve/CVE-2026-27784"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260417 for CVE-2026-27784",
          "url": "https://bugzilla.suse.com/1260417"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-27784"
    },
    {
      "cve": "CVE-2026-28753",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-28753"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-28753",
          "url": "https://www.suse.com/security/cve/CVE-2026-28753"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260418 for CVE-2026-28753",
          "url": "https://bugzilla.suse.com/1260418"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2026-28753"
    },
    {
      "cve": "CVE-2026-28755",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-28755"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.    \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-28755",
          "url": "https://www.suse.com/security/cve/CVE-2026-28755"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260419 for CVE-2026-28755",
          "url": "https://bugzilla.suse.com/1260419"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-28755"
    },
    {
      "cve": "CVE-2026-32647",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32647"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
          "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32647",
          "url": "https://www.suse.com/security/cve/CVE-2026-32647"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260420 for CVE-2026-32647",
          "url": "https://bugzilla.suse.com/1260420"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-1.29.7-1.1.x86_64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.aarch64",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.ppc64le",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.s390x",
            "openSUSE Tumbleweed:nginx-source-1.29.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-25T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32647"
    }
  ]
}

CVE-2026-27784 (GCVE-0-2026-27784)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-25 14:09

Title

NGINX ngx_http_mp4_module vulnerability

Summary

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160364

vendor-advisory

Impacted products

	Vendor	Product	Version
	F5	NGINX Open Source	Affected: 1.29.0 , < 1.29.7 (semver) Affected: 1.1.19 , < 1.28.3 (semver)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Prabhav Srinath (sprabhav7) for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27784",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:55:53.601160Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:09:53.726Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.1.19",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Prabhav Srinath (sprabhav7) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:36:46.530Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160364"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_mp4_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27784",
    "datePublished": "2026-03-24T14:13:25.343Z",
    "dateReserved": "2026-03-18T16:06:38.416Z",
    "dateUpdated": "2026-03-25T14:09:53.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28755 (GCVE-0-2026-28755)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24

Title

NGINX ngx_stream_ssl_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-863 - Incorrect Authorization

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160368

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 1.27.2 , < 1.28.3 (semver)

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)

Date Public ?

2026-03-24 14:00

Credits

Mufeed VH of Winfunc Research

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28755",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:24:10.756255Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:24:16.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_stream_ssl_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.27.2",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_stream_ssl_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Mufeed VH of Winfunc Research"
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u0026nbsp; \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. \u00a0 \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863 Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:43:39.944Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160368"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_stream_ssl_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-28755",
    "datePublished": "2026-03-24T14:13:26.502Z",
    "dateReserved": "2026-03-18T16:06:38.442Z",
    "dateUpdated": "2026-03-24T15:24:16.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28753 (GCVE-0-2026-28753)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:24

Title

NGINX ngx_mail_proxy_module vulnerability

Summary

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160367

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.6.27 , < 1.28.3 (semver)

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

Asim Viladi Oglu Manizada Colin Warren Xiao Liu (Yunnan University) Yuan Tan (UC Riverside) Bird Liu (Lanzhou University)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28753",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:24:28.689685Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:24:34.995Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_proxy_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.6.27",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_proxy_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Asim Viladi Oglu Manizada"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Colin Warren"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Xiao Liu (Yunnan University)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Yuan Tan (UC Riverside)"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Bird Liu (Lanzhou University)"
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:49:49.169Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160367"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_mail_proxy_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-28753",
    "datePublished": "2026-03-24T14:13:26.107Z",
    "dateReserved": "2026-03-18T16:06:38.435Z",
    "dateUpdated": "2026-03-24T15:24:34.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27654 (GCVE-0-2026-27654)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:15

Title

NGINX ngx_http_dav_module vulnerability

Summary

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

8.8 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

CWE

CWE-122 - Heap-based Buffer Overflow

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160382

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.5.13 , < 1.28.3 (semver)

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:14:50.235649Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:15:00.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_dav_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.5.13",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_dav_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Calif.io in collaboration with Claude and Anthropic Research for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:32:07.177Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160382"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_dav_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27654",
    "datePublished": "2026-03-24T14:13:26.879Z",
    "dateReserved": "2026-03-18T16:06:38.448Z",
    "dateUpdated": "2026-03-24T15:15:00.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32647 (GCVE-0-2026-32647)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-25 03:55

Title

NGINX ngx_http_mp4_module vulnerability

Summary

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-125 - Out-of-bounds Read

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160366

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 1.1.19 , < 1.28.3 (semver)

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32647",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T03:55:49.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "1.1.19",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_mp4_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Xint Code and Pavel Kohout (Aisle Research) for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:40:08.455Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160366"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_mp4_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-32647",
    "datePublished": "2026-03-24T14:13:25.724Z",
    "dateReserved": "2026-03-18T16:06:38.427Z",
    "dateUpdated": "2026-03-25T03:55:49.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27651 (GCVE-0-2026-27651)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:13 – Updated: 2026-03-24 15:14

Title

NGINX ngx_mail_auth_http_module vulnerability

Summary

When the ngx_mail_auth_http_module module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-476 - NULL Pointer Dereference

Assigner

f5

References

URL

Tags

https://my.f5.com/manage/s/article/K000160383

vendor-advisory

Impacted products

Vendor

Product

Version

NGINX Open Source

Affected: 1.29.0 , < 1.29.7 (semver)
Affected: 0.5.15 , < 1.28.3 (semver)

Affected: R36 , < R36 P3 (custom)
Affected: R35 , < R35 P2 (custom)
Affected: R34 , < * (custom)
Affected: R33 , < * (custom)
Affected: R32 , < R32 P5 (custom)

Date Public ?

2026-03-24 14:00

Credits

F5 acknowledges Arkadi Vainbrand for bringing this issue to our attention and following the highest standards of coordinated disclosure.

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27651",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T15:02:03.137056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T15:14:13.220Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_mail_auth_http_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "1.29.7",
              "status": "affected",
              "version": "1.29.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.28.3",
              "status": "affected",
              "version": "0.5.15",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_mail_auth_http_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "R36 P3",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R35 P2",
              "status": "affected",
              "version": "R35",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R34",
              "versionType": "custom"
            },
            {
              "lessThan": "*",
              "status": "affected",
              "version": "R33",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P5",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "F5 acknowledges Arkadi Vainbrand for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-03-24T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen the \u003c/span\u003e\u003cstrong\u003engx_mail_auth_http_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header.\u003c/span\u003e Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "When the ngx_mail_auth_http_module\u00a0module is enabled on NGINX Plus or NGINX Open Source, undisclosed requests can cause worker processes to terminate. This issue may occur when (1) CRAM-MD5 or APOP authentication is enabled, and (2) the authentication server permits retry by returning the Auth-Wait response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T14:22:35.756Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://my.f5.com/manage/s/article/K000160383"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_mail_auth_http_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-27651",
    "datePublished": "2026-03-24T14:13:27.295Z",
    "dateReserved": "2026-03-18T16:06:38.454Z",
    "dateUpdated": "2026-03-24T15:14:13.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.