Main Vulnerability Database Vulnerabilities #VU127046

Input validation error in nghttp2 - CVE-2026-27135

Published: April 23, 2026

Vulnerability identifier: #VU127046

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-27135

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
nghttp2

Software vendor:
nghttp2

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing state validation in the nghttp2 session handling logic when processing malformed frames after session termination has been initiated. A remote attacker can send specially crafted frames to cause a denial of service.

For PRIORITY_UPDATE and ALTSVC frames, the affected extension types must be explicitly enabled. Builds with assertions disabled may not crash under the same conditions.

Remediation

Install security update from vendor's website.

External links

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6

Input validation error in nghttp2 - CVE-2026-27135

Description

Remediation

External links

Please verify you're human