CVE-2024-32760
CVE-2024-32760 is a medium-severity vulnerability in F5 Nginx Open Source with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-787.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (54th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-34467
- Weakness: CWE-787
- Affected product: F5 Nginx Open Source
- Published:
- Last modified:
Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
Frequently asked questions
- What is CVE-2024-32760?
- When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
- How severe is CVE-2024-32760?
- CVE-2024-32760 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability low.
- Is CVE-2024-32760 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (54th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-32760?
- CVE-2024-32760 primarily affects F5 Nginx Open Source. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-32760?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-32760 have an EU (EUVD) identifier?
- Yes. CVE-2024-32760 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-34467.
- When was CVE-2024-32760 published?
- CVE-2024-32760 was published on 2024-05-29 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2024/05/30/4
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MLAOKJWDALQZBIV3WKGPJ6T5Z56D3PRD/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/R7RPLWC35WHEUFCGKNFG62ESNID25TEZ/
- https://my.f5.com/manage/s/article/K000139609
Affected products (8)
- cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_plus:r30:p1:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_plus:r30:p2:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_plus:r31:-:*:*:*:*:*:*
- cpe:2.3:a:f5:nginx_plus:r31:p1:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
More vulnerabilities in F5 Nginx Open Source
- CVE-2026-27654 — High (CVSS 8.2): NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to…
- CVE-2026-42530 — High (CVSS 8.1): NGINX Open Source has a vulnerability in the ngx_http_v3_module module. When NGINX Open Source is configured to use…
- CVE-2026-42055 — High (CVSS 8.1): NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and…
- CVE-2026-9256 — High (CVSS 8.1): NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists…
- CVE-2026-42945 — High (CVSS 8.1): NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists…
- CVE-2026-32647 — High (CVSS 7.8): NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker…
All CVEs affecting F5 Nginx Open Source →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…