CVE-2026-27135Reachable Assertion in Nghttp2

CWE-617Reachable Assertion8 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 96.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nghttp2
Timeline
PublishedMar 18

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data af

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5nghttp2/nghttp2< 1.68.1
NVDnghttp2/nghttp2< 1.68.1
Debiannghttp2/nghttp2< 1.68.1-1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
nghttp2 Denial of service: Assertion failure due to the missing state validation2026-03-18
OSV
CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C2026-03-18

📋Vendor Advisories

3
Red Hat
nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination2026-03-18
Microsoft
nghttp2 Denial of service: Assertion failure due to the missing state validation2026-03-10
Debian
CVE-2026-27135: nghttp2 - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27135 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-27135 nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination2026-03-18