new file mode 100644
@@ -0,0 +1,78 @@
+From a172c880cb51f882a5dc999437e8b3a4f87630cc Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Sat, 21 Feb 2026 12:04:36 +0400
+Subject: [PATCH] Mp4: avoid zero size buffers in output.
+
+Previously, data validation checks did not cover the cases when the output
+contained empty buffers. Such buffers are considered illegal and produce
+"zero size buf in output" alerts. The change rejects the mp4 files which
+produce such alerts.
+
+Also, the change fixes possible buffer overread and overwrite that could
+happen while processing empty stco and co64 atoms, as reported by
+Pavel Kohout (Aisle Research) and Tim Becker.
+
+CVE: CVE-2026-32647
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index a7f8be7..015e42c 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+ }
+ }
+
+- if (end_offset < start_offset) {
+- end_offset = start_offset;
++ if (end_offset <= start_offset) {
++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++ "no data between start time and end time in \"%s\"",
++ mp4->file.name.data);
++ return NGX_ERROR;
+ }
+
+ mp4->moov_size += 8;
+@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+
+ *prev = &mp4->mdat_atom;
+
+- if (start_offset > mp4->mdat_data.buf->file_last) {
++ if (start_offset >= mp4->mdat_data.buf->file_last) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 mdat atom in \"%s\"",
+ mp4->file.name.data);
+@@ -3416,7 +3419,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
+ if (data) {
+ entries = trak->sample_sizes_entries;
+
+- if (trak->start_sample > entries) {
++ if (trak->start_sample >= entries) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 stsz samples in \"%s\"",
+ mp4->file.name.data);
+@@ -3591,7 +3594,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
+ return NGX_ERROR;
+ }
+
+- if (trak->start_chunk > trak->chunks) {
++ if (trak->start_chunk >= trak->chunks) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 stco chunks in \"%s\"",
+ mp4->file.name.data);
+@@ -3806,7 +3809,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
+ return NGX_ERROR;
+ }
+
+- if (trak->start_chunk > trak->chunks) {
++ if (trak->start_chunk >= trak->chunks) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "start time is out mp4 co64 chunks in \"%s\"",
+ mp4->file.name.data);
+--
+2.50.1
+
@@ -8,6 +8,7 @@ SRC_URI:append = " \
file://CVE-2026-27651.patch \
file://CVE-2026-27654.patch \
file://CVE-2026-28753.patch \
+ file://CVE-2026-32647.patch \
"
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160366 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647 [3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../nginx/nginx-1.24.0/CVE-2026-32647.patch | 78 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 79 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch