ALPINE-CVE-2026-32647

See a problem?
Please try reporting it to the source first.
Source
https://security.alpinelinux.org/vuln/CVE-2026-32647
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-32647.json
JSON Data
https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-32647
Upstream
  • CVE-2026-32647
Published
2026-03-24T15:16:34.667Z
Modified
2026-03-26T15:33:48.836888Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngxhttpmp4module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngxhttpmp4_module module.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References

Affected packages

Alpine:v3.22 / nginx

Package

Name
nginx
Purl
pkg:apk/alpine/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.3-r0

Affected versions

0.*
0.8.53-r0
0.8.54-r0
0.8.54-r1
1.*
1.0.4-r0
1.0.4-r1
1.0.5-r0
1.0.11-r0
1.0.11-r1
1.0.14-r0
1.0.15-r0
1.2.2-r0
1.2.3-r0
1.2.4-r0
1.2.5-r0
1.2.6-r0
1.2.7-r0
1.2.8-r0
1.4.0-r0
1.4.0-r1
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.4.3-r1
1.4.4-r0
1.4.4-r1
1.4.4-r2
1.4.5-r0
1.4.6-r0
1.4.7-r0
1.6.0-r0
1.6.0-r1
1.6.0-r2
1.6.0-r3
1.6.1-r0
1.6.1-r1
1.6.2-r0
1.6.2-r1
1.6.2-r2
1.6.2-r3
1.6.3-r0
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.1-r0
1.8.1-r1
1.9.11-r0
1.9.14-r0
1.9.14-r1
1.10.0-r0
1.10.1-r0
1.10.1-r1
1.10.1-r2
1.10.1-r3
1.10.1-r4
1.10.1-r5
1.10.1-r6
1.10.1-r7
1.10.1-r8
1.10.1-r9
1.10.2-r0
1.10.2-r1
1.10.3-r0
1.10.3-r1
1.10.3-r2
1.10.3-r3
1.10.3-r4
1.10.3-r5
1.12.0-r0
1.12.0-r1
1.12.0-r2
1.12.1-r0
1.12.1-r1
1.12.1-r2
1.12.1-r3
1.12.2-r0
1.12.2-r1
1.12.2-r2
1.12.2-r3
1.12.2-r4
1.12.2-r5
1.12.2-r6
1.14.0-r0
1.14.0-r1
1.14.0-r2
1.14.1-r0
1.14.2-r0
1.14.2-r1
1.16.0-r0
1.16.0-r1
1.16.0-r2
1.16.0-r3
1.16.0-r4
1.16.1-r0
1.16.1-r1
1.16.1-r2
1.16.1-r3
1.16.1-r4
1.16.1-r5
1.16.1-r6
1.16.1-r7
1.16.1-r8
1.18.0-r0
1.18.0-r1
1.18.0-r2
1.18.0-r3
1.18.0-r4
1.18.0-r5
1.18.0-r6
1.18.0-r7
1.18.0-r8
1.18.0-r9
1.18.0-r10
1.18.0-r11
1.18.0-r12
1.18.0-r13
1.18.0-r14
1.18.0-r15
1.20.0-r0
1.20.1-r0
1.20.1-r1
1.20.1-r2
1.20.1-r3
1.20.1-r4
1.20.1-r5
1.20.1-r6
1.20.1-r7
1.20.1-r8
1.20.1-r9
1.20.1-r10
1.20.1-r11
1.20.1-r12
1.20.1-r13
1.20.2-r0
1.20.2-r1
1.20.2-r2
1.22.0-r0
1.22.0-r1
1.22.0-r2
1.22.0-r3
1.22.0-r4
1.22.0-r5
1.22.0-r6
1.22.0-r7
1.22.0-r8
1.22.1-r0
1.22.1-r1
1.22.1-r2
1.24.0-r0
1.24.0-r1
1.24.0-r2
1.24.0-r3
1.24.0-r4
1.24.0-r5
1.24.0-r6
1.24.0-r7
1.24.0-r8
1.24.0-r9
1.24.0-r10
1.24.0-r11
1.24.0-r12
1.24.0-r13
1.24.0-r14
1.24.0-r15
1.24.0-r16
1.24.0-r17
1.24.0-r18
1.24.0-r19
1.24.0-r20
1.26.0-r0
1.26.0-r1
1.26.0-r2
1.26.1-r0
1.26.1-r1
1.26.1-r2
1.26.1-r3
1.26.2-r0
1.26.2-r1
1.26.2-r2
1.26.2-r3
1.26.2-r4
1.26.3-r0
1.26.3-r1
1.26.3-r2
1.26.3-r3
1.26.3-r4
1.28.0-r0
1.28.0-r1
1.28.0-r2
1.28.0-r3
1.28.2-r0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-32647.json"

Alpine:v3.23 / nginx

Package

Name
nginx
Purl
pkg:apk/alpine/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.3-r0

Affected versions

0.*
0.8.53-r0
0.8.54-r0
0.8.54-r1
1.*
1.0.4-r0
1.0.4-r1
1.0.5-r0
1.0.11-r0
1.0.11-r1
1.0.14-r0
1.0.15-r0
1.2.2-r0
1.2.3-r0
1.2.4-r0
1.2.5-r0
1.2.6-r0
1.2.7-r0
1.2.8-r0
1.4.0-r0
1.4.0-r1
1.4.1-r0
1.4.2-r0
1.4.2-r1
1.4.3-r0
1.4.3-r1
1.4.4-r0
1.4.4-r1
1.4.4-r2
1.4.5-r0
1.4.6-r0
1.4.7-r0
1.6.0-r0
1.6.0-r1
1.6.0-r2
1.6.0-r3
1.6.1-r0
1.6.1-r1
1.6.2-r0
1.6.2-r1
1.6.2-r2
1.6.2-r3
1.6.3-r0
1.8.0-r0
1.8.0-r1
1.8.0-r2
1.8.0-r3
1.8.1-r0
1.8.1-r1
1.9.11-r0
1.9.14-r0
1.9.14-r1
1.10.0-r0
1.10.1-r0
1.10.1-r1
1.10.1-r2
1.10.1-r3
1.10.1-r4
1.10.1-r5
1.10.1-r6
1.10.1-r7
1.10.1-r8
1.10.1-r9
1.10.2-r0
1.10.2-r1
1.10.3-r0
1.10.3-r1
1.10.3-r2
1.10.3-r3
1.10.3-r4
1.10.3-r5
1.12.0-r0
1.12.0-r1
1.12.0-r2
1.12.1-r0
1.12.1-r1
1.12.1-r2
1.12.1-r3
1.12.2-r0
1.12.2-r1
1.12.2-r2
1.12.2-r3
1.12.2-r4
1.12.2-r5
1.12.2-r6
1.14.0-r0
1.14.0-r1
1.14.0-r2
1.14.1-r0
1.14.2-r0
1.14.2-r1
1.16.0-r0
1.16.0-r1
1.16.0-r2
1.16.0-r3
1.16.0-r4
1.16.1-r0
1.16.1-r1
1.16.1-r2
1.16.1-r3
1.16.1-r4
1.16.1-r5
1.16.1-r6
1.16.1-r7
1.16.1-r8
1.18.0-r0
1.18.0-r1
1.18.0-r2
1.18.0-r3
1.18.0-r4
1.18.0-r5
1.18.0-r6
1.18.0-r7
1.18.0-r8
1.18.0-r9
1.18.0-r10
1.18.0-r11
1.18.0-r12
1.18.0-r13
1.18.0-r14
1.18.0-r15
1.20.0-r0
1.20.1-r0
1.20.1-r1
1.20.1-r2
1.20.1-r3
1.20.1-r4
1.20.1-r5
1.20.1-r6
1.20.1-r7
1.20.1-r8
1.20.1-r9
1.20.1-r10
1.20.1-r11
1.20.1-r12
1.20.1-r13
1.20.2-r0
1.20.2-r1
1.20.2-r2
1.22.0-r0
1.22.0-r1
1.22.0-r2
1.22.0-r3
1.22.0-r4
1.22.0-r5
1.22.0-r6
1.22.0-r7
1.22.0-r8
1.22.1-r0
1.22.1-r1
1.22.1-r2
1.24.0-r0
1.24.0-r1
1.24.0-r2
1.24.0-r3
1.24.0-r4
1.24.0-r5
1.24.0-r6
1.24.0-r7
1.24.0-r8
1.24.0-r9
1.24.0-r10
1.24.0-r11
1.24.0-r12
1.24.0-r13
1.24.0-r14
1.24.0-r15
1.24.0-r16
1.24.0-r17
1.24.0-r18
1.24.0-r19
1.24.0-r20
1.26.0-r0
1.26.0-r1
1.26.0-r2
1.26.1-r0
1.26.1-r1
1.26.1-r2
1.26.1-r3
1.26.2-r0
1.26.2-r1
1.26.2-r2
1.26.2-r3
1.26.2-r4
1.26.3-r0
1.26.3-r1
1.26.3-r2
1.26.3-r3
1.26.3-r4
1.28.0-r0
1.28.0-r1
1.28.0-r2
1.28.0-r3
1.28.0-r4
1.28.0-r5
1.28.0-r6
1.28.0-r7
1.28.0-r8
1.28.2-r0
1.28.2-r1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-32647.json"