nghttp21.68.1: assertion fail via FRAME_SIZE_ERROR after session termination
CVE-2026-27135 Published on March 18, 2026
nghttp2 Denial of service: Assertion failure due to the missing state validation
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Vulnerability Analysis
CVE-2026-27135 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is an assertion failure Vulnerability?
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CVE-2026-27135 has been classified to as an assertion failure vulnerability or weakness.
Products Associated with CVE-2026-27135
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-27135 are published in these products:
Affected Versions
nghttp2:- Version < 1.68.1 is affected.
- Version 0:1.64.0-3.el8jbcs and below * is unaffected.
- Version 0:1.64.0-3.el7jbcs and below * is unaffected.
- Version 1:22.22.2-1.el10_1 and below * is unaffected.
- Version 0:1.64.0-2.el10_1.1 and below * is unaffected.
- Version 1:24.14.1-2.el10_1 and below * is unaffected.
- Version 1:22.22.2-2.el10_0 and below * is unaffected.
- Version 0:1.64.0-2.el10_0.1 and below * is unaffected.
- Version 8100020260331102257.6d880403 and below * is unaffected.
- Version 8100020260408131901.6d880403 and below * is unaffected.
- Version 8100020260414073138.489197e6 and below * is unaffected.
- Version 0:1.33.0-6.el8_10.2 and below * is unaffected.
- Version 0:1.33.0-3.el8_2.4 and below * is unaffected.
- Version 0:1.33.0-4.el8_4.3 and below * is unaffected.
- Version 0:1.33.0-4.el8_4.3 and below * is unaffected.
- Version 0:1.33.0-4.el8_6.3 and below * is unaffected.
- Version 0:1.33.0-4.el8_6.3 and below * is unaffected.
- Version 0:1.33.0-4.el8_6.3 and below * is unaffected.
- Version 0:1.33.0-5.el8_8.2 and below * is unaffected.
- Version 0:1.33.0-5.el8_8.2 and below * is unaffected.
- Version 9070020260401095228.rhel9 and below * is unaffected.
- Version 9070020260402152654.rhel9 and below * is unaffected.
- Version 9070020260409073121.rhel9 and below * is unaffected.
- Version 0:1.43.0-6.el9_7.1 and below * is unaffected.
- Version 0:1.43.0-5.el9_0.4 and below * is unaffected.
- Version 0:1.43.0-5.el9_2.4 and below * is unaffected.
- Version 9040020260421133644.rhel9 and below * is unaffected.
- Version 0:1.43.0-5.el9_4.4 and below * is unaffected.
- Version 9060020260409121057.rhel9 and below * is unaffected.
- Version 9060020260422064119.rhel9 and below * is unaffected.
- Version 0:1.43.0-6.el9_6.1 and below * is unaffected.
- Version 412.86.202605271418-0 and below * is unaffected.
- Version 413.92.202605271328-0 and below * is unaffected.
- Version 414.92.202605060243-0 and below * is unaffected.
- Version 415.92.202605060220-0 and below * is unaffected.
- Version 416.94.202605200242-0 and below * is unaffected.
- Version 417.94.202605112123-0 and below * is unaffected.
- Version 418.94.202605260517-0 and below * is unaffected.
- Version 4.19.9.6.202605201155-0 and below * is unaffected.
- Version 7.13.5-4.1777325677 and below * is unaffected.
- Version 7.13.5-4.1777325711 and below * is unaffected.
- Version 7.13.5-4.1777325710 and below * is unaffected.
- Version 7.13.5-3.1777325680 and below * is unaffected.
- Version 7.13.5-4.1777325709 and below * is unaffected.
- Version 7.13.5-4.1777325680 and below * is unaffected.
- Version 7.13.5-4.1777325708 and below * is unaffected.
- Version 1779223654 and below * is unaffected.
- Version 1779223651 and below * is unaffected.
- Version 1780681984 and below * is unaffected.
- Version 1778244559 and below * is unaffected.
- Version 1778244531 and below * is unaffected.
- Version 1778274666 and below * is unaffected.
- Version 1778244546 and below * is unaffected.
- Version 1778101579 and below * is unaffected.
- Version 1778156756 and below * is unaffected.
- Version 1.68.1-1.hum1 and below * is unaffected.
- Version 1776868961 and below * is unaffected.
- Version 1776868774 and below * is unaffected.
- Version 1776868744 and below * is unaffected.
- Version 1776868772 and below * is unaffected.
- Version 1776868842 and below * is unaffected.
- Version 1777459441 and below * is unaffected.
- Version 1777454300 and below * is unaffected.
- Version 1777459504 and below * is unaffected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
- Version V3.1.6 and below * is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.