CVE-2022-41741: 
NGINX vulnerability analysis and mitigation

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttpmp4module that might allow a local attacker to corrupt NGINX worker memory. The vulnerability was discovered in October 2022 and affects NGINX products that are built with the ngxhttpmp4module, specifically when the mp4 directive is used in the configuration file (CVE Mitre).

The vulnerability exists in the ngxhttpmp4module module of NGINX and is triggered when processing specially crafted audio or video files. The issue only affects NGINX installations that are built with the ngxhttpmp4module and have the mp4 directive enabled in their configuration. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could result in worker process memory corruption, leading to process termination or potential other impacts. The vulnerability could allow attackers to cause denial of service conditions, disclose sensitive information, or potentially execute arbitrary code when processing malformed mp4 files (Debian Security).

The vulnerability has been fixed in NGINX Open Source versions 1.23.2 and 1.22.1, NGINX Open Source Subscription versions R2 P1 and R1 P1, and NGINX Plus versions R27 P1 and R26 P1. Users are advised to upgrade to these or later versions to address the vulnerability (Fedora Update).