CVE-2026-27135
Published: 18 March 2026
Summary
CVE-2026-27135 is a high-severity Reachable Assertion (CWE-617) vulnerability in Nghttp2 Nghttp2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws in nghttp2 library, directly addressing the assertion failure by patching to version 1.68.1.
Mandates secure error handling for malformed HTTP/2 frames after session termination to prevent crashes via assertion failure.
Enforces validation of incoming HTTP/2 frames to reject malformed data that could trigger FRAME_SIZE_ERROR post-session termination.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in nghttp2 HTTP/2 library enables remote unauthenticated attackers to send crafted frames that trigger assertion failure and service crash after session termination, directly facilitating exploitation of public-facing applications (T1190) for endpoint DoS via application exploitation (T1499.004).
NVD Description
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might…
more
be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Deeper analysisAI
CVE-2026-27135 is a vulnerability in nghttp2, an open-source C implementation of the Hypertext Transfer Protocol version 2 (HTTP/2). In versions prior to 1.68.1, the library fails to properly validate internal state after the user-facing APIs `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` are invoked, either directly by the application or internally due to a connection error. This allows the library to continue reading incoming data, and a subsequent malformed frame triggering a FRAME_SIZE_ERROR results in an assertion failure, linked to CWE-617 (Reachable Assertion).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending crafted HTTP/2 traffic to a vulnerable nghttp2-based service, the attacker can induce the termination session state and follow with a malformed frame, causing the library to crash via assertion failure and leading to denial of service through high availability impact.
The nghttp2 project addressed this in version 1.68.1 by adding the missing internal state validation to prevent the assertion failure after session termination. Relevant advisories include the GitHub Security Advisory GHSA-6933-cjhr-5qg6 and a commit at https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1, with discussion on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/20/3. No known workarounds exist.
Details
- CWE(s)