Vulnerability Report

CVE-2026-27135

Title: Malformed HTTP/2 Frame causes Assertion Failure

Other

Proof Of Concept

PoC Available for CVE-2026-27135

CWE Category CWE-617

Published Date Mar 18, 2026

Modified Date May 13, 2026

Exploit Status Available

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

0.03%

Vulnerability Summary

CVE-2026-27135: nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Impacted Vendors

nghttp2 1

Reference Links

https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns