HTTP/2 and its header compression algorithm HPACK implementation.
The framing layer of HTTP/2 is implemented as a reusable library.
Also included are an HTTP/2 client, server, proxy, load test and
benchmarking tool.
For more information see the project home page:
https://nghttp2.org/
or the repo README:
https://github.com/nghttp2/nghttp2#readme
NOTES:
Support for previously deprecated Python bindings, modules, and
documentation was dropped some releases ago.
The following packages have been upgraded in the Cygwin distribution:
- nghttp2 1.68.1
- libnghttp2-devel 1.68.1
- libnghttp2_14 1.68.1
- mingw64-x86_64-nghttp2 1.68.1
For changes since the previous Cygwin release, see below or
https://nghttp2.org/blog/; for complete details of changes see
/usr/share/doc/nghttp2/ChangeLog after installation.
2026-03-18 1.68.1
Do not download the archive files generated by GitHub.
They do not work.
Please download the signed and versioned tar balls, such as
nghttp2-1.68.1.tar.gz.
This release includes security advisory.
Security Advisory
CVE-2026-27135: Denial of service: Assertion failure due to the missing
state validation
Denial of service: Assertion failure due to the missing state validation
High
tatsuhiro-t published GHSA-6933-cjhr-5qg6 Mar 18, 2026
Package
nghttp2
Affected versions
<= 1.68.0
Patched versions
1.68.1
Description
Impact
nghttp2 library stops reading the incoming data when user facing
public API nghttp2_session_terminate_session or
nghttp2_session_terminate_session2 is called by the application.
They might be called internally by the library when it detects the
situation that is subject to connection error.
Due to the missing internal state validation, the library keeps
reading the rest of the data after one of those APIs is called. Then
receiving a malformed frame that causes FRAME_SIZE_ERROR causes
assertion failure.
nghttp2_session_terminate_session and
nghttp2_session_terminate_session2 are used interchangeably in the
rest of this document.
The detailed execution paths that lead to assertion failure are:
- nghttp2_session_terminate_session is called from
nghttp2_on_invalid_frame_recv_callback when processing incoming
ALTSVC (RFC 7838) frame, and then a malformed frame that causes
FRAME_SIZE_ERROR is received.
- nghttp2_session_terminate_session is called from
nghttp2_on_frame_recv_callback when processing PRIORITY_UPDATE,
ALTSVC, or user-defined extension frame, and then a malformed frame
that causes FRAME_SIZE_ERROR is received.
- nghttp2_session_terminate_session is called from
nghttp2_on_extension_chunk_recv_callback when processing
user-defined extension frame, and then a malformed frame that
causes
FRAME_SIZE_ERROR is received.
- nghttp2_session_terminate_session is called from
nghttp2_unpack_extension_callback when processing user-defined
extension frame, and then a malformed frame that causes
FRAME_SIZE_ERROR is received.
- The malformed PRIORITY_UPDATE frame (e.g., stream_id == 0) is
received, and then a malformed frame that causes FRAME_SIZE_ERROR
is
received.
For PRIORITY_UPDATE and ALTSVC frames, they must be explicitly enabled
via nghttp2_option_set_builtin_recv_extension_type to be affected.
For user-defined extension frames, they must be explicitly enabled via
nghttp2_option_set_user_recv_extension_type to be affected.
For the builds that disable assert macro (e.g, -DNDEBUG), it does
not hit assertion failure, but it might continue reading incoming
data, which itself does not cause any vulnerability as far as we know.
We still strongly encourage to apply the patch for those builds as
well.
The reporter found the cases where ALTSVC is involved. The other
cases have been investigated and discovered by the nghttp2 development
team.
Patches
nghttp2 v1.68.1 adds missing state validation to avoid assertion
failure.
Workarounds
There is no workaround.
References
The commit 5c7df8f fixes this vulnerability.
Severity
High
CVSS overall score
This score calculates overall vulnerability severity from 0 to 10 and
is based on the Common Vulnerability Scoring System (CVSS).
7.5 / 10
CVSS v3 base metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High
Attack vector: More severe the more the remote (logically and
physically) an attacker can be in order to
exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one
vulnerable component impacts resources in
components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is
highest, measuring the level of data access
available to an unauthorized user.
Integrity: More severe when loss of data integrity is the
highest, measuring the consequence of data
modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component
availability is highest.
CVE ID CVE-2026-27135
Weaknesses No CWEs
Credits @AndrewMohawk AndrewMohawk Reporter
--
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
The easiest way to unsubscribe is to visit
<https://cygwin.com/mailman/options/cygwin-announce>, and click 'Unsubscribe'.
If you need more information on unsubscribing, start reading here:
<https://sourceware.org/lists.html#unsubscribe>.
