CVE-2022-41743 HIGH

CVE-2022-41743: NGINX ngx_http_hls_module vulnerability CVE-2022-41743

Vendor F5

Product NGINX Plus

Weakness CWE-787

Published October 19, 2022

Last update May 8, 2025

View on NVD All CVEs

CVSS base score

7.0/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issue affects only NGINX Plus when the hls directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_hls_module.

Key dates

Disclosure timeline

October 19, 2022 CVE published

May 8, 2025 Record updated

Identifiers

CVE CVE-2022-41743

CWE CWE-787

CVSS 7.0 / HIGH

Affected versions

Vendor F5

Product NGINX Plus

Affected ≥ R27 and < R27-p1

Vendor F5

Product NGINX Plus

Affected ≥ R1 and < R26-p1