Skip to main content

Nghttp2 CVE-2026-27135

| EUVD-2026-12919 HIGH
Reachable Assertion (CWE-617)
2026-03-18 GitHub_M
Denial Of Service Nghttp2
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 23, 2026 - 17:51 vuln.today
Public exploit code
EUVD ID Assigned
Mar 18, 2026 - 18:15 euvd
EUVD-2026-12919
Analysis Generated
Mar 18, 2026 - 18:15 vuln.today
CVE Published
Mar 18, 2026 - 17:59 nvd
HIGH 7.5

DescriptionGitHub Advisory

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

AnalysisAI

nghttp2 before version 1.68.1 fails to properly validate internal state when session termination APIs are invoked, allowing an attacker to send a malformed frame that triggers an assertion failure and crashes the application. This denial of service vulnerability affects applications using the nghttp2 HTTP/2 library and can be triggered remotely without authentication or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP/2 request
Delivery
Trigger nghttp2_session_terminate_session
Exploit
Continue reading incoming data
Execution
Send malformed frame
Persist
Cause FRAME_SIZE_ERROR
Impact
Denial of Service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker sending malformed HTTP/2 frames to nghttp2 library versions prior to 1.68.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 score of 7.5 (High) reflects network-based exploitation with low attack complexity, no privileges required, and no user interaction needed (AV:N/AC:L/PR:N/UI:N), resulting in high availability impact (A:H) with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies an internet-facing web server or API gateway using a vulnerable version of nghttp2 for HTTP/2 support. The attacker crafts a malicious HTTP/2 connection that triggers internal termination conditions (such as sending frames that cause connection errors), then immediately sends a malformed frame designed to trigger FRAME_SIZE_ERROR while the library is in a partially terminated state. …
Remediation Upgrade nghttp2 to version 1.68.1 or later, which includes the necessary internal state validation fix to prevent assertion failures (see commit https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 and advisory https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all systems using nghttp2 and assess exposure; identify critical services and prioritize protection. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

nghttp2
Release Status Fixed Version Urgency
bullseye vulnerable 1.43.0-1+deb11u1 -
bullseye (security) vulnerable 1.43.0-1+deb11u2 -
bookworm vulnerable 1.52.0-1+deb12u2 -
bookworm (security) vulnerable 1.52.0-1+deb12u1 -
trixie vulnerable 1.64.0-1.1 -
forky, sid vulnerable 1.68.0-2 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
Container private-registry/harbor-trivy-adapter:1.1.2-2.6 Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-EC2 Image pr_15_7 Affected
Container suse/ltss/sle12.5/sles12sp5:8.5.215 Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.150 Container suse/sl-micro/6.0/base-os-container:2.1.3-7.117 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.135 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.149 Container suse/sl-micro/6.0/toolbox:13.2-9.85 Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.80 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.103 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.107 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.94 Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Affected
Container suse/sles/16.0/toolbox:16.3-1.38 Image SLES-CHOST-BYOS-EC2 Affected
Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected

Share

CVE-2026-27135 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy