A remote attacker can trigger a denial-of-service condition in nghttp2 (CVE-2026-27135, CVSS 7.5 HIGH) by sending a malformed frame during the termination path, causing an assertion failure and crash. Versions prior to 1.68.1 are affected. The fix is to upgrade nghttp2 to version 1.68.1.
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index] [SECURITY] [DSA 6266-1] nghttp2 security update To: debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 6266-1] nghttp2 security update From: Aron Xu <aron@debian.org> Date: Thu, 14 May 2026 08:47:54 +0000 Message-id: <[🔎] E1wNRjW-00000004TRq-3nNb@seger.debian.org> Reply-to: debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6266-1 security@debian.org https://www.debian.org/security/ Aron Xu May 14, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nghttp2 CVE ID : CVE-2026-27135 Debian Bug : 1131369 It was discovered that nghttp2, an implementation of the HTTP/2 protocol, could be crashed via an assertion failure. A remote attacker could exploit this to cause a DoS attack by sending a malformed frame immediately after triggering the termination path. For the oldstable distribution (bookworm), this problem has been fixed in version 1.52.0-1+deb12u3. For the stable distribution (trixie), this problem has been fixed in version 1.64.0-1.1+deb13u1. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEExq6D0hxncEPaPayX+GQ1dHE8m64FAmoFjAkACgkQ+GQ1dHE8 m65Fzwf9EnDGL88bivxndCEWyr+xLRoJ23JTcUJiDsoJxFCMirCqFw8HxXQ8GEkp tDlDIF26yGdMte14jAg914jdt3ncVcoQscNVFZeF7QM2oDo0IEstiK4mdaYYnGuA 8IQoZEDRftux+IoHuALWmo/0oOJ1/5dBcGwWPSPr7+13sX2FfGyDl0mBNDOEIybK bL/yZnXtAnos3RNLhI9QFSgzvKadeKtMlDq6pIQ97E8dw2V6LQd7IN3tHNSBVelv 1MofR8mDhSOE6aoX2yErkJ4mi6F/SfW+T6gTu/Szl1xo6JA2SINkgaf44NyTSnt5 UREUUIZEPZlV0d2Xa7asWgLiTQIDdA== =PUhk -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Aron Xu (on-list) Aron Xu (off-list) Prev by Date: [SECURITY] [DSA 6265-1] exim4 security update Next by Date: [SECURITY] [DSA 6267-1] thunderbird security update Previous by thread: [SECURITY] [DSA 6265-1] exim4 security update Next by thread: [SECURITY] [DSA 6267-1] thunderbird security update Index(es): Date Thread