-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6266-1 [email protected] https://www.debian.org/security/ Aron Xu May 14, 2026 https://www.debian.org/security/faq - -------------------------------------------------------------------------
Package : nghttp2 CVE ID : CVE-2026-27135 Debian Bug : 1131369 It was discovered that nghttp2, an implementation of the HTTP/2 protocol, could be crashed via an assertion failure. A remote attacker could exploit this to cause a DoS attack by sending a malformed frame immediately after triggering the termination path. For the oldstable distribution (bookworm), this problem has been fixed in version 1.52.0-1+deb12u3. For the stable distribution (trixie), this problem has been fixed in version 1.64.0-1.1+deb13u1. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: [email protected] -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoFjAkACgkQ+GQ1dHE8 m65Fzwf9EnDGL88bivxndCEWyr+xLRoJ23JTcUJiDsoJxFCMirCqFw8HxXQ8GEkp tDlDIF26yGdMte14jAg914jdt3ncVcoQscNVFZeF7QM2oDo0IEstiK4mdaYYnGuA 8IQoZEDRftux+IoHuALWmo/0oOJ1/5dBcGwWPSPr7+13sX2FfGyDl0mBNDOEIybK bL/yZnXtAnos3RNLhI9QFSgzvKadeKtMlDq6pIQ97E8dw2V6LQd7IN3tHNSBVelv 1MofR8mDhSOE6aoX2yErkJ4mi6F/SfW+T6gTu/Szl1xo6JA2SINkgaf44NyTSnt5 UREUUIZEPZlV0d2Xa7asWgLiTQIDdA== =PUhk -----END PGP SIGNATURE-----

