Main Vulnerability Database SB20260423116

SB20260423116 - SUSE update for nghttp2

Published: April 23, 2026

Security Bulletin ID SB20260423116

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2026-27135)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing state validation in the nghttp2 session handling logic when processing malformed frames after session termination has been initiated. A remote attacker can send specially crafted frames to cause a denial of service.

For PRIORITY_UPDATE and ALTSVC frames, the affected extension types must be explicitly enabled. Builds with assertions disabled may not crash under the same conditions.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2026/suse-su-20261056-1/

SB20260423116 - SUSE update for nghttp2

Breakdown by Severity

Description

Remediation

References

Please verify you're human