7.5
CVE-2026-27135
- EPSS 0.78%
- Veröffentlicht 18.03.2026 17:59:02
- Zuletzt bearbeitet 30.06.2026 03:17:53
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
nghttp2 Denial of service: Assertion failure due to the missing state validation
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.78% | 0.511 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-617 Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
http://www.openwall.com/lists/oss-security/2026/03/20/3
https://access.redhat.com/errata/RHSA-2026:9832
https://access.redhat.com/errata/RHSA-2026:10065
https://access.redhat.com/errata/RHSA-2026:11768
https://access.redhat.com/errata/RHSA-2026:13812
https://access.redhat.com/errata/RHSA-2026:14937
https://access.redhat.com/errata/RHSA-2026:16174
https://access.redhat.com/errata/RHSA-2026:15087
https://access.redhat.com/errata/RHSA-2026:14773
https://lists.debian.org/debian-lts-announce/2026/05/msg00025.html
https://access.redhat.com/errata/RHSA-2026:16008
https://access.redhat.com/errata/RHSA-2026:16009
https://access.redhat.com/errata/RHSA-2026:16030
https://access.redhat.com/errata/RHSA-2026:17596
https://access.redhat.com/errata/RHSA-2026:19725
https://access.redhat.com/errata/RHSA-2026:19724
https://access.redhat.com/errata/RHSA-2026:20040
https://access.redhat.com/errata/RHSA-2026:21690
https://access.redhat.com/errata/RHSA-2026:25096
https://access.redhat.com/errata/RHSA-2026:20087
https://access.redhat.com/errata/RHSA-2026:21695
https://access.redhat.com/errata/RHSA-2026:7080
https://access.redhat.com/errata/RHSA-2026:7123
https://access.redhat.com/errata/RHSA-2026:7302
https://access.redhat.com/errata/RHSA-2026:7310
https://access.redhat.com/errata/RHSA-2026:7350
https://access.redhat.com/errata/RHSA-2026:7670
https://access.redhat.com/errata/RHSA-2026:7675
https://access.redhat.com/errata/RHSA-2026:7983
https://access.redhat.com/errata/RHSA-2026:21656
https://access.redhat.com/errata/RHSA-2026:27200
https://access.redhat.com/errata/RHSA-2026:27201
https://access.redhat.com/errata/RHSA-2026:6190
https://access.redhat.com/errata/RHSA-2026:7666
https://access.redhat.com/errata/RHSA-2026:7667
https://access.redhat.com/errata/RHSA-2026:7668
https://access.redhat.com/errata/RHSA-2026:7896
https://access.redhat.com/errata/RHSA-2026:8339
https://access.redhat.com/errata/RHSA-2026:8538
https://access.redhat.com/errata/RHSA-2026:8539
https://access.redhat.com/errata/RHSA-2026:8540
https://access.redhat.com/errata/RHSA-2026:8541
https://access.redhat.com/errata/RHSA-2026:8545
https://access.redhat.com/errata/RHSA-2026:8546
https://access.redhat.com/errata/RHSA-2026:8547
https://access.redhat.com/errata/RHSA-2026:8548
https://access.redhat.com/errata/RHSA-2026:8868
https://access.redhat.com/errata/RHSA-2026:9711
https://access.redhat.com/errata/RHSA-2026:9874
https://access.redhat.com/security/cve/CVE-2026-27135
https://bugzilla.redhat.com/show_bug.cgi?id=2448754
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27135.json