Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

nghttp2 contains an assertion failure vulnerability caused by missing internal state validation after the library’s session termination API is invoked. This flaw permits an attacker to send a crafted HTTP/2 frame that triggers a FRAME_SIZE_ERROR condition, ultimately leading the library to assert and crash. The root weakness is improper input validation, classified as CWE‑617. When triggered, the service using nghttp2 experiences a denial of service because the thread or process handling the connection terminates unexpectedly.

Affected Systems

The vulnerability affects the nghttp2 implementation of HTTP/2, specifically all releases prior to version 1.68.1. Any deployment that relies on nghttp2 1.68.0 or earlier is exposed. The products involved are the nghttp2 library exposed through its public APIs nghttp2_session_terminate_session and nghttp2_session_terminate_session2.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact on availability. Although the EPSS probability is low (<1 %) and the issue is not listed in the CISA KEV catalog, the potential for denial of service remains significant for services that have no fail‑over or do not handle unexpected crashes gracefully. The absence of a workaround means the only defense is to update to a version that includes the missing state validation, namely 1.68.1 or later. Attackers would need network access to target the application using nghttp2; once they send the malformed frame, the session terminates and the application cannot recover until restarted.

Generated by OpenCVE AI on March 23, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nghttp2 to version 1.68.1 or later

Generated by OpenCVE AI on March 23, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8233-1 nghttp2 vulnerability
Ubuntu USN Ubuntu USN USN-8233-2 nghttp2 vulnerability
History

Mon, 23 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nghttp2
Nghttp2 nghttp2
Vendors & Products Nghttp2
Nghttp2 nghttp2

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Title nghttp2 Denial of service: Assertion failure due to the missing state validation
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nghttp2 Nghttp2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T21:07:53.189Z

Reserved: 2026-02-17T18:42:27.044Z

Link: CVE-2026-27135

cve-icon Vulnrichment

Updated: 2026-03-20T21:07:53.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:26.723

Modified: 2026-03-23T17:51:17.017

Link: CVE-2026-27135

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T17:59:02Z

Links: CVE-2026-27135 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:04Z

Weaknesses