CVE-2026-27135

Publication date 18 March 2026

Last updated 5 May 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Read the notes from the security team

Status

Package Ubuntu Release Status
nghttp2 26.04 LTS resolute
Vulnerable
25.10 questing
Fixed 1.64.0-1.1ubuntu1.1
24.04 LTS noble
Fixed 1.59.0-1ubuntu0.3
22.04 LTS jammy
Fixed 1.43.0-1ubuntu0.3
20.04 LTS focal
Fixed 1.40.0-1ubuntu0.3+esm1
18.04 LTS bionic
Fixed 1.30.0-1ubuntu1+esm3
16.04 LTS xenial
Fixed 1.7.1-1ubuntu0.1~esm3

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Notes

mdeslaur

There are a few more commits that add additional checks for NGHTTP2_IB_IGN_ALL that are likely required to properly fix this issue, such as: https://github.com/nghttp2/nghttp2/commit/7784fa979d0bcf801a35f1afbb25fb048d815cd7 https://github.com/nghttp2/nghttp2/commit/06fb688be2c41206f8012f1d3149ba862d21a631 https://github.com/nghttp2/nghttp2/commit/43b4369fba1039b0e13176c8f089c6c9b9f8497a This needs further investigation.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
nghttp2

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities