Bug 2448754 (CVE-2026-27135)

Summary: CVE-2026-27135 nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: csutherl, jclere, pjindal, plodge, rhel-process-autobot, szappis, vchlup, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in nghttp2. Due to missing internal state validation, the library continues to process incoming data even after a session has been terminated. A remote attacker could exploit this by sending a specially crafted HTTP/2 frame, leading to an assertion failure and a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-18 19:03:26 UTC 
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Comment 3 errata-xmlrpc 2026-04-08 13:54:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080
Comment 4 errata-xmlrpc 2026-04-08 18:05:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123
Comment 5 errata-xmlrpc 2026-04-09 12:47:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302
Comment 6 errata-xmlrpc 2026-04-09 13:20:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310
Comment 7 errata-xmlrpc 2026-04-09 20:20:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
Comment 9 errata-xmlrpc 2026-04-13 01:31:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7666 https://access.redhat.com/errata/RHSA-2026:7666
Comment 10 errata-xmlrpc 2026-04-13 02:09:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7667 https://access.redhat.com/errata/RHSA-2026:7667
Comment 11 errata-xmlrpc 2026-04-13 02:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7675 https://access.redhat.com/errata/RHSA-2026:7675
Comment 12 errata-xmlrpc 2026-04-13 02:24:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7668 https://access.redhat.com/errata/RHSA-2026:7668
Comment 13 errata-xmlrpc 2026-04-13 02:47:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7670 https://access.redhat.com/errata/RHSA-2026:7670
Comment 15 errata-xmlrpc 2026-04-13 18:29:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7896 https://access.redhat.com/errata/RHSA-2026:7896
Comment 16 errata-xmlrpc 2026-04-14 06:52:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:7983 https://access.redhat.com/errata/RHSA-2026:7983
Comment 17 errata-xmlrpc 2026-04-15 19:04:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:8339 https://access.redhat.com/errata/RHSA-2026:8339
Comment 18 errata-xmlrpc 2026-04-16 18:38:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:8541 https://access.redhat.com/errata/RHSA-2026:8541
Comment 19 errata-xmlrpc 2026-04-16 18:40:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:8539 https://access.redhat.com/errata/RHSA-2026:8539
Comment 20 errata-xmlrpc 2026-04-16 18:42:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:8538 https://access.redhat.com/errata/RHSA-2026:8538
Comment 21 errata-xmlrpc 2026-04-16 18:43:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:8540 https://access.redhat.com/errata/RHSA-2026:8540
Comment 22 errata-xmlrpc 2026-04-16 19:25:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:8546 https://access.redhat.com/errata/RHSA-2026:8546
Comment 23 errata-xmlrpc 2026-04-16 19:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:8545 https://access.redhat.com/errata/RHSA-2026:8545
Comment 24 errata-xmlrpc 2026-04-16 19:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:8547 https://access.redhat.com/errata/RHSA-2026:8547
Comment 25 errata-xmlrpc 2026-04-16 19:43:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:8548 https://access.redhat.com/errata/RHSA-2026:8548
Comment 26 errata-xmlrpc 2026-04-20 02:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:8868 https://access.redhat.com/errata/RHSA-2026:8868
Comment 27 errata-xmlrpc 2026-04-22 13:57:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:9711 https://access.redhat.com/errata/RHSA-2026:9711
Comment 29 errata-xmlrpc 2026-04-22 21:44:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:9874 https://access.redhat.com/errata/RHSA-2026:9874
Comment 32 errata-xmlrpc 2026-05-05 17:49:47 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2026:13812 https://access.redhat.com/errata/RHSA-2026:13812
Comment 37 errata-xmlrpc 2026-05-13 13:55:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:15087 https://access.redhat.com/errata/RHSA-2026:15087
Comment 38 errata-xmlrpc 2026-05-13 14:16:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:14773 https://access.redhat.com/errata/RHSA-2026:14773
Comment 39 errata-xmlrpc 2026-05-20 13:27:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:17596 https://access.redhat.com/errata/RHSA-2026:17596
Comment 40 errata-xmlrpc 2026-05-27 16:02:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:20040 https://access.redhat.com/errata/RHSA-2026:20040
Comment 41 errata-xmlrpc 2026-05-29 18:53:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:20087 https://access.redhat.com/errata/RHSA-2026:20087
Comment 42 errata-xmlrpc 2026-06-03 14:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:21656 https://access.redhat.com/errata/RHSA-2026:21656
Comment 43 errata-xmlrpc 2026-06-04 16:33:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:21690 https://access.redhat.com/errata/RHSA-2026:21690
Comment 44 errata-xmlrpc 2026-06-04 16:59:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:21695 https://access.redhat.com/errata/RHSA-2026:21695