CVE-2026-27135

CVE-2026-27135

Name

CVE-2026-27135

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
security-advisories@github.com	https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/03/20/3

Type

URI

security-advisories@github.com

https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1

security-advisories@github.com

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2026/03/20/3

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nghttp2:nghttp2::::::::`	nghttp2	>= None	< 1.68.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*

nghttp2

>= None

< 1.68.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nghttp2	edge-main	1.68.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.67.1-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.66.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.65.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.64.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.57.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	edge-main	1.41.0-r0	None	possibly vulnerable
nghttp2	edge-main	1.39.2-r0	None	possibly vulnerable
nghttp2	3.23-main	1.68.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	3.22-main	1.65.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	3.22-main	1.57.0-r0	None	possibly vulnerable
nghttp2	3.22-main	1.41.0-r0	None	possibly vulnerable
nghttp2	3.22-main	1.39.2-r0	None	possibly vulnerable
nghttp2	3.21-main	1.64.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	3.21-main	1.57.0-r0	None	possibly vulnerable
nghttp2	3.21-main	1.41.0-r0	None	possibly vulnerable
nghttp2	3.21-main	1.39.2-r0	None	possibly vulnerable
nghttp2	3.20-main	1.62.1-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	3.20-main	1.57.0-r0	None	possibly vulnerable
nghttp2	3.20-main	1.41.0-r0	None	possibly vulnerable
nghttp2	3.20-main	1.39.2-r0	None	possibly vulnerable
nghttp2	3.19-main	1.58.0-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
nghttp2	3.19-main	1.57.0-r0	None	possibly vulnerable
nghttp2	3.19-main	1.41.0-r0	None	possibly vulnerable
nghttp2	3.19-main	1.39.2-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages