CVE-2022-41741

HIGH

NGINX <1.23.2-1.22.1 - Memory Corruption

Title source: llm
STIX 2.1

Description

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Exploits (2)

nomisec SCANNER 1 stars
by moften · poc
https://github.com/moften/CVE-2022-41741-742-Nginx-Vulnerability-Scanner
nomisec WORKING POC 1 stars
by dumbbutt0 · poc
https://github.com/dumbbutt0/evilMP4

References (7)

Scores

CVSS v3 7.0
EPSS 0.0083
EPSS Percentile 74.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-787
Status published
Products (12)
debian/debian_linux 10.0
debian/debian_linux 11.0
f5/nginx 1.23.0
f5/nginx 1.23.1
f5/nginx r1
f5/nginx r2
f5/nginx 1.1.3 - 1.22.0
f5/nginx r22 - r27
f5/nginx_ingress_controller 1.9.0 - 1.12.4
fedoraproject/fedora 35
... and 2 more
Published Oct 19, 2022
Tracked Since Feb 18, 2026