CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs

CVE-2026-27135 | nghttp2 up to 1.68.0 HTTP/2 nghttp2_session_terminate_session assertion (GHSA-6933-cjhr-5qg6 / EUVD-2026-12919)

VulDB Archived Mar 18, 2026 ✓ Full text saved

A vulnerability identified as problematic has been detected in nghttp2 up to 1.68.0 . This impacts the function nghttp2_session_terminate_session of the component HTTP2 Handler . Performing a manipulation results in reachable assertion. This vulnerability is identified as CVE-2026-27135 . The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

Full text archived locally
✦ AI Summary · Claude Sonnet


    VDB-351592 · CVE-2026-27135 · GHSA-6933-CJHR-5QG6 NGHTTP2 UP TO 1.68.0 HTTP/2 NGHTTP2_SESSION_TERMINATE_SESSION ASSERTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 0.67+ Summaryinfo A vulnerability labeled as problematic has been found in nghttp2 up to 1.68.0. Affected is the function nghttp2_session_terminate_session of the component HTTP2 Handler. Executing a manipulation can lead to assertion. This vulnerability is tracked as CVE-2026-27135. The attack can be launched remotely. No exploit exists. The affected component should be upgraded. Detailsinfo A vulnerability was found in nghttp2 up to 1.68.0. It has been declared as problematic. This vulnerability affects the function nghttp2_session_terminate_session of the component HTTP2 Handler. The manipulation with an unknown input leads to a assertion vulnerability. The CWE definition for the vulnerability is CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. As an impact it is known to affect availability. CVE summarizes: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available. The advisory is shared for download at github.com. This vulnerability was named CVE-2026-27135 since 02/17/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. Upgrading to version 1.68.1 eliminates this vulnerability. Applying the patch 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. The vulnerability is also documented in the databases at EUVD (EUVD-2026-12919) and CERT Bund (WID-SEC-2026-0775). Affected Open Source nghttp2 Productinfo Name nghttp2 Version 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 1.25 1.26 1.27 1.28 1.29 1.30 1.31 1.32 1.33 1.34 1.35 1.36 1.37 1.38 1.39 1.40 1.41 1.42 1.43 1.44 1.45 1.46 1.47 1.48 1.49 1.50 1.51 1.52 1.53 1.54 1.55 1.56 1.57 1.58 1.59 1.60 1.61 1.62 1.63 1.64 1.65 1.66 1.67 1.68.0 License open-source Website Product: https://github.com/nghttp2/nghttp2/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Assertion CWE: CWE-617 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: nghttp2 1.68.1 Patch: 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Timelineinfo 02/17/2026 CVE reserved 03/18/2026 +29 days Advisory disclosed 03/18/2026 +0 days VulDB entry created 03/18/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-6933-cjhr-5qg6 Status: Confirmed CVE: CVE-2026-27135 (🔒) GCVE (CVE): GCVE-0-2026-27135 GCVE (VulDB): GCVE-100-351592 EUVD: 🔒 CERT Bund: WID-SEC-2026-0775 - nghttp2: Schwachstelle ermöglicht Denial of Service Entryinfo Created: 03/18/2026 19:58 Updated: 03/18/2026 20:40 Changes: 03/18/2026 19:58 (66), 03/18/2026 20:18 (7), 03/18/2026 20:40 (1) Complete: 🔍 Cache ID: 99:25E:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸
    💬 Team Notes
    Article Info
    Source
    VulDB
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Archived
    Mar 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗