CVE-2026-27135
Assertion Failure in nghttp2 Due to Missing State Validation
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nghttp2 | nghttp2 | to 1.68.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27135 is a denial of service vulnerability in the nghttp2 library (versions up to 1.68.0) caused by missing internal state validation during session termination.
When the public APIs nghttp2_session_terminate_session or nghttp2_session_terminate_session2 are calledβeither by the application or internally upon detecting connection errorsβthe library incorrectly continues reading incoming data without proper state checks.
If a malformed frame causing a FRAME_SIZE_ERROR is received after this, it triggers an assertion failure that crashes the process.
This can happen in various scenarios involving specific HTTP/2 frames like ALTSVC, PRIORITY_UPDATE, or user-defined extension frames, especially when these frames are enabled explicitly.
The vulnerability was fixed in nghttp2 version 1.68.1 by adding the missing state validation to prevent these assertion failures.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by crashing the process using the nghttp2 library.
An attacker can exploit this by sending malformed HTTP/2 frames after session termination APIs are called, leading to an assertion failure and process crash.
The impact is availability-related, meaning the affected service or application may become unavailable or stop responding due to the crash.
No confidentiality or integrity impacts are associated with this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is triggered by the nghttp2 library continuing to read incoming data after session termination APIs are called, leading to assertion failures when malformed frames causing FRAME_SIZE_ERROR are received.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for crashes or assertion failures in applications using nghttp2 versions prior to 1.68.1, especially when processing ALTSVC, PRIORITY_UPDATE, or user-defined extension frames.'}, {'type': 'paragraph', 'content': "Since the issue is internal to the nghttp2 library's frame processing, direct network detection commands are not provided in the resources."}, {'type': 'paragraph', 'content': 'However, you can check the version of nghttp2 installed on your system with commands like:'}, {'type': 'list_item', 'content': 'nghttp2 --version'}, {'type': 'list_item', 'content': 'dpkg -l | grep nghttp2 (on Debian/Ubuntu)'}, {'type': 'list_item', 'content': 'rpm -qa | grep nghttp2 (on RedHat/CentOS)'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for crashes or assertion failures related to nghttp2 when processing HTTP/2 frames may help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the nghttp2 library to version 1.68.1 or later, where the missing internal state validation has been added to prevent assertion failures.
No known workarounds exist for this vulnerability, so applying the patch or upgrading is strongly recommended.
If upgrading immediately is not possible, consider recompiling nghttp2 with assertions disabled (e.g., using the -DNDEBUG flag), which prevents assertion failures but does not fully mitigate the underlying issue.
Also, review and restrict the use of PRIORITY_UPDATE, ALTSVC, and user-defined extension frames if possible, as these frame types are involved in triggering the vulnerability.