CVE-2026-27135 - fix Denial of service: Assertion failure due to the

missing state validation Resolves: RHEL-157366
2026-04-09 13:53:11 +02:00 · 2026-04-09 13:53:11 +02:00 · bd3193b3c8
commit bd3193b3c8
parent eab77a0da6
2 changed files with 142 additions and 2 deletions
--- a/0005-nghttp2-1.33.0-CVE-2026-27135.patch
+++ b/0005-nghttp2-1.33.0-CVE-2026-27135.patch
@ -0,0 +1,133 @@
+From 3d4cd78d10b0da55d408361ac7309d702cfc295b Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Wed, 18 Feb 2026 22:40:57 +0900
+Subject: [PATCH] CVE-2026-27135
+
+Check nghttp2_is_fatal first
+
+(cherry picked from commit 68f77a347544c207eeff7ff7457284697ccf7f7d)
+
+Fix missing iframe->state validations to avoid assertion failure
+
+(cherry picked from commit 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1)
+---
+ lib/nghttp2_session.c | 44 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 821c57ea..aa90b67b 100644
+--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
+@@ -5517,6 +5517,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         busy = 1;
+ 
+         rv = session_on_data_received_fail_fast(session);
+        if (nghttp2_is_fatal(rv)) {
+          return rv;
+        }
+
+         if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+           return (ssize_t)inlen;
+         }
+@@ -5527,10 +5531,6 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           break;
+         }
+ 
+-        if (nghttp2_is_fatal(rv)) {
+-          return rv;
+-        }
+-
+         rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd);
+         if (rv < 0) {
+           rv = nghttp2_session_terminate_session_with_reason(
+@@ -5600,6 +5600,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+
+         on_begin_frame_called = 1;
+ 
+         rv = session_process_headers_frame(session);
+@@ -5923,6 +5927,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           if (nghttp2_is_fatal(rv)) {
+             return rv;
+           }
+
+          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+            return (ssize_t)inlen;
+          }
+         }
+       }
+ 
+@@ -6466,6 +6474,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         if (nghttp2_is_fatal(rv)) {
+           return rv;
+         }
+
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+       } else {
+         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
+       }
+@@ -6630,13 +6642,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+             rv = session->callbacks.on_data_chunk_recv_callback(
+                 session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
+                 in - readlen, (size_t)data_readlen, session->user_data);
+-            if (rv == NGHTTP2_ERR_PAUSE) {
+-              return in - first;
+-            }
+-
+             if (nghttp2_is_fatal(rv)) {
+               return NGHTTP2_ERR_CALLBACK_FAILURE;
+             }
+
+            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+              return (ssize_t)inlen;
+            }
+
+            if (rv == NGHTTP2_ERR_PAUSE) {
+              return in - first;
+            }
+           }
+         }
+       }
+@@ -6716,6 +6732,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
+        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+          return (ssize_t)inlen;
+        }
+
+         if (rv != 0) {
+           busy = 1;
+ 
+@@ -6734,6 +6754,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (ssize_t)inlen;
+      }
+
+       session_inbound_frame_reset(session);
+ 
+       break;
+@@ -6762,6 +6786,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
+      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+        return (ssize_t)inlen;
+      }
+
+       session_inbound_frame_reset(session);
+ 
+       break;
+-- 
+2.53.0
+
--- a/nghttp2.spec
+++ b/nghttp2.spec
@ -1,7 +1,7 @@
 Summary: Experimental HTTP/2 client, server and proxy
 Name: nghttp2
 Version: 1.33.0
-Release: 6%{?dist}.1
+Release: 6%{?dist}.2
 License: MIT
 Group: Applications/Internet
 URL: https://nghttp2.org/
@ -19,6 +19,9 @@ Patch3: 0003-nghttp2-1.33.0-CVE-2023-44487.patch
 # fix CONTINUATION frames DoS (CVE-2024-28182, CVE-2024-27316)
 Patch4: 0004-nghttp2-1.33.0-CVE-2024-28182.patch

+# fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
+Patch5: 0005-nghttp2-1.33.0-CVE-2026-27135.patch
+
 BuildRequires: automake
 BuildRequires: libtool

@ -64,6 +67,7 @@ for building applications with libnghttp2.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 autoreconf -fiv

 # make fetch-ocsp-response use Python 3
@ -135,7 +139,10 @@ make %{?_smp_mflags} check


 %changelog
-* Mon Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6.1
+* Thu Apr 09 2026 Jan Macku <jamacku@redhat.com> - 1.33.0-6.2
+- fix Denial of service: Assertion failure due to the missing state validation (CVE-2026-27135)
+
+* Wed Apr 10 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6.1
 - fix CONTINUATION frames DoS (CVE-2024-27316)

 * Mon Apr 08 2024 Jan Macku <jamacku@redhat.com> - 1.33.0-6