Source: nghttp2 Version: 1.68.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nghttp2. CVE-2026-27135[0]: | nghttp2 is an implementation of the Hypertext Transfer Protocol | version 2 in C. Prior to version 1.68.1, the nghttp2 library stops | reading the incoming data when user facing public API | `nghttp2_session_terminate_session` or | `nghttp2_session_terminate_session2` is called by the application. | They might be called internally by the library when it detects the | situation that is subject to connection error. Due to the missing | internal state validation, the library keeps reading the rest of the | data after one of those APIs is called. Then receiving a malformed | frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 | v1.68.1 adds missing state validation to avoid assertion failure. No | known workarounds are available. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27135 https://www.cve.org/CVERecord?id=CVE-2026-27135 [1] https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 [2] https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
