Main Vulnerability Database SB20260423106

SB20260423106 - Red Hat Enterprise Linux 8 update for nghttp2

Published: April 23, 2026

Security Bulletin ID SB20260423106

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2026-27135)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing state validation in the nghttp2 session handling logic when processing malformed frames after session termination has been initiated. A remote attacker can send specially crafted frames to cause a denial of service.

For PRIORITY_UPDATE and ALTSVC frames, the affected extension types must be explicitly enabled. Builds with assertions disabled may not crash under the same conditions.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2026:8538