CVE-2026-27135
Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing state check in nghttp2 before 1.68.1 lets an attacker trigger an assertion failure via crafted HTTP/2 frames, causing a denial of service.
## Vulnerability (CVE-2026-27135) The nghttp2 library, an HTTP/2 implementation in C, contains a flaw in its session management logic. When the application calls nghttp2_session_terminate_session or nghttp2_session_terminate_session2—or the library does so internally upon detecting a connection error—data reception should stop. However, due to missing internal state validation, the library continues to read incoming frames after one of these APIs is called. If a subsequent malformed frame causes a FRAME_SIZE_ERROR, an assertion failure occurs [1][3].
Attack
Vector and Exploitation An attacker who can send specially crafted HTTP/2 frames to a vulnerable service may exploit this flaw. The attack does not require authentication but requires the attacker to be able to establish an HTTP/2 connection. Specific paths involve sending frames like ALTSVC, PRIORITY_UPDATE, or user-defined extension frames that trigger the termination API, followed by a malformed frame that provokes the assertion [3]. For built-in extension frames (ALTSVC, PRIORITY_UPDATE) or user-defined extensions, the application must have explicitly enabled them via nghttp2_option_set_builtin_recv_extension_type or nghttp2_option_set_user_recv_extension_type [3]. The vulnerability is present regardless of whether assertions are compiled in; if NDEBUG is defined, the assertion is disabled, but the library still stops processing input correctly, leading to other potential failures [3].
Impact
Successful exploitation causes a denial of service (DoS) by crashing the library via assertion failure. This can terminate the affected HTTP/2 session and potentially the entire service, depending on how the library integrates with the application. The impact is limited to availability; no data confidentiality or integrity is compromised [1][3].
Mitigation
The vulnerability is fixed in nghttp2 version 1.68.1. The patch adds checks for the session state (NGHTTP2_IB_IGN_ALL) at several points in the receive function, ensuring that once termination is signaled, further incoming data is ignored without processing [2]. No workarounds are available; upgrading to the patched version is required [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- nghttp2/nghttp2v5Range: < 1.68.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1nvdPatch
- github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6nvdPatchVendor Advisory
- www.openwall.com/lists/oss-security/2026/03/20/3nvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2026/05/msg00025.htmlnvd
News mentions
0No linked articles in our index yet.