CVE-2026-27135: nghttp2 Denial of service: Assertion failure due to the missing state validation
Published Mar 18, 2026
·Updated
nghttp2 Denial of service: Assertion failure due to the missing state validation
Affected Software
8 affected componentsFixes available
nghttp2<1.68.1
Microsoft azl3 nghttp2 1.61.0-2
nghttp2 nghttp2<1.68.1
Microsoft cbl2 nodejs18 18.20.3-11
Microsoft cbl2 nghttp2 1.57.0-2
Microsoft cbl2 cmake 3.21.4-21
Microsoft azl3 cmake 3.30.3-12
Microsoft azl3 nodejs 20.14.0-13
Remediation
Event History
Mar 18, 2026
CVE Published
via MITRE·05:59 PM
Data Sourced
via MITRE·05:59 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·07:03 PM
DescriptionSeverityAffected Software
Mar 20, 2026
Data Sourced
via Microsoft·08:02 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:02 AM
Affected Software
Updated
via Microsoft·08:02 AM
DescriptionSeverity
Frequently Asked Questions
1
What is the severity of CVE-2026-27135?
CVE-2026-27135 is classified as a denial-of-service vulnerability due to assertion failure.
2
How do I fix CVE-2026-27135?
To fix CVE-2026-27135, upgrade the nghttp2 library to version 1.68.1 or later.
3
What causes CVE-2026-27135?
CVE-2026-27135 is caused by missing state validation in the nghttp2 library when handling incoming data.
4
Which versions of nghttp2 are affected by CVE-2026-27135?
Versions of nghttp2 prior to 1.68.1 are affected by CVE-2026-27135.
5
What is nghttp2?
nghttp2 is an implementation of the HTTP/2 protocol in C, which is the library affected by CVE-2026-27135.