CVE-2026-27135 - fix Denial of service: Assertion failure due to the missing state

validation

Resolves: RHEL-157378
This commit is contained in:
Jan Macku 2026-04-01 10:33:32 +02:00
parent 0d9404dd36
commit 9f2f72bf1e
2 changed files with 140 additions and 1 deletions

View File

@ -0,0 +1,133 @@
From f5e9e3d3e73703d501ffd72057db107e6a3cab02 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 18 Feb 2026 22:40:57 +0900
Subject: [PATCH] CVE-2026-27135
Check nghttp2_is_fatal first
(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d)
Fix missing iframe->state validations to avoid assertion failure
(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1)
---
lib/nghttp2_session.c | 44 +++++++++++++++++++++++++++++++++++--------
1 file changed, 36 insertions(+), 8 deletions(-)
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index 3e11bd8f..fe823713 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -5537,6 +5537,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
busy = 1;
rv = session_on_data_received_fail_fast(session);
+ if (nghttp2_is_fatal(rv)) {
+ return rv;
+ }
+
if (iframe->state == NGHTTP2_IB_IGN_ALL) {
return (ssize_t)inlen;
}
@@ -5547,10 +5551,6 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
break;
}
- if (nghttp2_is_fatal(rv)) {
- return rv;
- }
-
rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd);
if (rv < 0) {
rv = nghttp2_session_terminate_session_with_reason(
@@ -5620,6 +5620,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
on_begin_frame_called = 1;
rv = session_process_headers_frame(session);
@@ -5943,6 +5947,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
}
}
@@ -6486,6 +6494,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
} else {
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
}
@@ -6651,13 +6663,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
rv = session->callbacks.on_data_chunk_recv_callback(
session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
in - readlen, (size_t)data_readlen, session->user_data);
- if (rv == NGHTTP2_ERR_PAUSE) {
- return in - first;
- }
-
if (nghttp2_is_fatal(rv)) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
+ if (rv == NGHTTP2_ERR_PAUSE) {
+ return in - first;
+ }
}
}
}
@@ -6738,6 +6754,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
if (rv != 0) {
busy = 1;
@@ -6756,6 +6776,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
session_inbound_frame_reset(session);
break;
@@ -6784,6 +6808,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
session_inbound_frame_reset(session);
break;
--
2.53.0

View File

@ -1,7 +1,7 @@
Summary: Experimental HTTP/2 client, server and proxy
Name: nghttp2
Version: 1.43.0
Release: 6%{?dist}
Release: 7%{?dist}
License: MIT
URL: https://nghttp2.org/
Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
@ -12,6 +12,9 @@ Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch
# fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch
# fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
Patch3: 0003-nghttp2-1.43.0-CVE-2026-27135.patch
BuildRequires: automake
BuildRequires: libtool
@ -125,6 +128,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
%changelog
* Wed Apr 01 2026 Jan Macku <jamacku@redhat.com> - 1.43.0-7
- fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.43.0-6
- fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)