CVE-2026-27135 nghttp2 Denial of service: Assertion failure due to the missing state validation

🗓️ 18 Mar 2026 17:59:02Reported by GoogleType

osv

osv🔗 osv.dev

CVE-2026-27135: nghttp2 DoS from missing state validation; assertion after terminate_session and malformed frames.

Reporter	Title	Published	Views	Family All 310
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to multiple Operator package issues	21 May 202615:57	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates	7 May 202613:38	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images	15 May 202613:21	–	ibm
ATTACKERKB	CVE-2026-27135	18 Mar 202617:59	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : libnghttp2, libnghttp2-devel, nghttp2 (ALAS2023-2026-1542)	13 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1647)	20 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1648)	20 May 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : nghttp2, --advisory ALAS2-2026-3232 (ALAS-2026-3232)	14 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : nodejs22 (ALSA-2026:7080)	10 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : nodejs:22 (ALSA-2026:7123)	16 Apr 202600:00	–	nessus

Source	Link
openwall	www.openwall.com/lists/oss-security/2026/03/20/3
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27135.json
github	www.github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-27135
github	www.github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1

17 Apr 2026 13:29Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.5

EPSS0.0003

nghttp2 state validation terminate session frame size error assertion failure version 1.68.1