CVE-2026-27135 | nghttp2 up to 1.68.0 HTTP/2 nghttp2_session_terminate_session assertion (GHSA-6933-cjhr-5qg6 / EUVD-2026-12919)
VulDBArchived Mar 18, 2026✓ Full text saved
A vulnerability identified as problematic has been detected in nghttp2 up to 1.68.0 . This impacts the function nghttp2_session_terminate_session of the component HTTP2 Handler . Performing a manipulation results in reachable assertion. This vulnerability is identified as CVE-2026-27135 . The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-351592 · CVE-2026-27135 · GHSA-6933-CJHR-5QG6
NGHTTP2 UP TO 1.68.0 HTTP/2 NGHTTP2_SESSION_TERMINATE_SESSION ASSERTION
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
6.3 $0-$5k 0.67+
Summaryinfo
A vulnerability labeled as problematic has been found in nghttp2 up to 1.68.0. Affected is the function nghttp2_session_terminate_session of the component HTTP2 Handler. Executing a manipulation can lead to assertion. This vulnerability is tracked as CVE-2026-27135. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.
Detailsinfo
A vulnerability was found in nghttp2 up to 1.68.0. It has been declared as problematic. This vulnerability affects the function nghttp2_session_terminate_session of the component HTTP2 Handler. The manipulation with an unknown input leads to a assertion vulnerability. The CWE definition for the vulnerability is CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. As an impact it is known to affect availability. CVE summarizes:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
The advisory is shared for download at github.com. This vulnerability was named CVE-2026-27135 since 02/17/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available.
Upgrading to version 1.68.1 eliminates this vulnerability. Applying the patch 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at EUVD (EUVD-2026-12919) and CERT Bund (WID-SEC-2026-0775).
Affected
Open Source nghttp2
Productinfo
Name
nghttp2
Version
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58
1.59
1.60
1.61
1.62
1.63
1.64
1.65
1.66
1.67
1.68.0
License
open-source
Website
Product: https://github.com/nghttp2/nghttp2/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 6.4
VulDB Meta Temp Score: 6.3
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.5
CNA Vector (GitHub_M): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Assertion
CWE: CWE-617
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: nghttp2 1.68.1
Patch: 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
Timelineinfo
02/17/2026 CVE reserved
03/18/2026 +29 days Advisory disclosed
03/18/2026 +0 days VulDB entry created
03/18/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: GHSA-6933-cjhr-5qg6
Status: Confirmed
CVE: CVE-2026-27135 (🔒)
GCVE (CVE): GCVE-0-2026-27135
GCVE (VulDB): GCVE-100-351592
EUVD: 🔒
CERT Bund: WID-SEC-2026-0775 - nghttp2: Schwachstelle ermöglicht Denial of Service
Entryinfo
Created: 03/18/2026 19:58
Updated: 03/18/2026 20:40
Changes: 03/18/2026 19:58 (66), 03/18/2026 20:18 (7), 03/18/2026 20:40 (1)
Complete: 🔍
Cache ID: 99:25E:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸