diff --git a/0003-nghttp2-1.43.0-CVE-2026-27135.patch b/0003-nghttp2-1.43.0-CVE-2026-27135.patch new file mode 100644 index 0000000..7e298b5 --- /dev/null +++ b/0003-nghttp2-1.43.0-CVE-2026-27135.patch @@ -0,0 +1,133 @@ +From f5e9e3d3e73703d501ffd72057db107e6a3cab02 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Wed, 18 Feb 2026 22:40:57 +0900 +Subject: [PATCH] CVE-2026-27135 + +Check nghttp2_is_fatal first + +(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d) + +Fix missing iframe->state validations to avoid assertion failure + +(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1) +--- + lib/nghttp2_session.c | 44 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 8 deletions(-) + +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 3e11bd8f..fe823713 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -5537,6 +5537,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + busy = 1; + + rv = session_on_data_received_fail_fast(session); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ + if (iframe->state == NGHTTP2_IB_IGN_ALL) { + return (ssize_t)inlen; + } +@@ -5547,10 +5551,6 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + break; + } + +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- + rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd); + if (rv < 0) { + rv = nghttp2_session_terminate_session_with_reason( +@@ -5620,6 +5620,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } ++ + on_begin_frame_called = 1; + + rv = session_process_headers_frame(session); +@@ -5943,6 +5947,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } + } + } + +@@ -6486,6 +6494,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } + } else { + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK; + } +@@ -6651,13 +6663,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + rv = session->callbacks.on_data_chunk_recv_callback( + session, iframe->frame.hd.flags, iframe->frame.hd.stream_id, + in - readlen, (size_t)data_readlen, session->user_data); +- if (rv == NGHTTP2_ERR_PAUSE) { +- return in - first; +- } +- + if (nghttp2_is_fatal(rv)) { + return NGHTTP2_ERR_CALLBACK_FAILURE; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } ++ ++ if (rv == NGHTTP2_ERR_PAUSE) { ++ return in - first; ++ } + } + } + } +@@ -6738,6 +6754,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } ++ + if (rv != 0) { + busy = 1; + +@@ -6756,6 +6776,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6784,6 +6808,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (ssize_t)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +-- +2.53.0 + diff --git a/nghttp2.spec b/nghttp2.spec index 0619901..1a69744 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -1,7 +1,7 @@ Summary: Experimental HTTP/2 client, server and proxy Name: nghttp2 Version: 1.43.0 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT URL: https://nghttp2.org/ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz @@ -12,6 +12,9 @@ Patch1: 0001-nghttp2-1.43.0-CVE-2023-44487.patch # fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316) Patch2: 0002-nghttp2-1.43.0-CVE-2024-28182-CVE-2024-27316.patch +# fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135) +Patch3: 0003-nghttp2-1.43.0-CVE-2026-27135.patch + BuildRequires: automake BuildRequires: libtool @@ -125,6 +128,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %changelog +* Wed Apr 01 2026 Jan Macku - 1.43.0-7 +- fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135) + * Wed Apr 10 2024 Jan Macku - 1.43.0-6 - fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)