CVE-2022-41742
NGINX ngx_http_mp4_module vulnerability CVE-2022-41742NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
We have discovered 1,824,159 live websites that are affected by CVE-2022-41742.
Affected Software
| Product |  Nginx |
| Category | Web Servers |
| Vulnerable Domains | 1,824,159 live websites (56% of Nginx install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 196 versions ( 87% of all versions) |
Common Weakness Enumeration
CWE-787 Out-of-bounds WriteDetails
- Published - Oct 19, 2022
- Updated - May 8, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2022-41742 United States | 469,925 websites |
 Russia | 414,733 websites |
 China | 116,917 websites |
 Germany | 107,663 websites |
 France | 68,932 websites |
 British Virgin Islands | 54,217 websites |
 Brazil | 52,022 websites |
 Singapore | 40,489 websites |
 Hong Kong | 39,698 websites |
 Italy | 38,895 websites |
Website Distribution by TLD
Number of websites using CVE-2022-41742| .com | 591,738 websites |
| .ru | 401,632 websites |
| .cn | 62,893 websites |
| .org | 53,218 websites |
| .net | 51,998 websites |
| .com.br | 46,047 websites |
| .de | 43,896 websites |
| .it | 30,925 websites |
| .cz | 25,931 websites |
| .nl | 21,121 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-41742
Top websites that are affected by CVE-2022-41742. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.org | Singapore | *** | |
| *.me | British Virgin Islands | *** | |
| ******.de | Germany | *** | |
| ****.******.org | United States | *** | |
| ***.**.**.com | China | *** | |
| ********.me | British Virgin Islands | *** | |
| **********.com | United States | *** | |
| *******.com | United States | *** | |
| *******.******.com | United States | *** | |
| ************.ru | Russia | *** |
FAQ
CVE-2022-41742 is Out-of-bounds Write in Nginx
A total of 1,824,159 websites have been identified as vulnerable to CVE-2022-41742, based on global website indexing conducted by WebTechSurvey.
The Nginx is affected by the CVE-2022-41742 vulnerability.
Nginx versions up to 1.23.2 are vulnerable to CVE-2022-41742.
CVE-2022-41742 is resolved in version 1.23.2 of Nginx.
References
- https://support.f5.com/csp/article/K28112382
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPRVYA4FS34VWB4FEFYNAD7Z2LFCJVEI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FD6M3PVVKO35WLAA7GLDBS6TEQ26SM64/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WBORRVG7VVXYOAIAD64ZHES2U2VIUKFQ/
- https://www.debian.org/security/2022/dsa-5281
- https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html
- https://security.netapp.com/advisory/ntap-20230120-0005/