[AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] (#16247)

Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>

Author: azurelinux-security

SPECS/nghttp2/CVE-2026-27135.patch

@@ -0,0 +1,117 @@
+From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Wed, 18 Feb 2026 18:04:30 +0900
+Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
+ failure
+
+Upstream Patch reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch
+---
+ lib/nghttp2_session.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index ced7517..ac9301b 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -6031,6 +6031,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         on_begin_frame_called = 1;
+ 
+         rv = session_process_headers_frame(session);
+@@ -6397,6 +6401,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           if (nghttp2_is_fatal(rv)) {
+             return rv;
+           }
++
++          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++            return (ssize_t)inlen;
++          }
+         }
+       }
+ 
+@@ -6653,6 +6661,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         session_inbound_frame_reset(session);
+ 
+         break;
+@@ -6956,6 +6968,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         if (nghttp2_is_fatal(rv)) {
+           return rv;
+         }
++
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
+       } else {
+         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
+       }
+@@ -7121,13 +7137,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+             rv = session->callbacks.on_data_chunk_recv_callback(
+                 session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
+                 in - readlen, (size_t)data_readlen, session->user_data);
+-            if (rv == NGHTTP2_ERR_PAUSE) {
+-              return (ssize_t)(in - first);
+-            }
+-
+             if (nghttp2_is_fatal(rv)) {
+               return NGHTTP2_ERR_CALLBACK_FAILURE;
+             }
++
++            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++              return (ssize_t)inlen;
++            }
++
++            if (rv == NGHTTP2_ERR_PAUSE) {
++              return (ssize_t)(in - first);
++            }
+           }
+         }
+       }
+@@ -7208,6 +7228,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         if (rv != 0) {
+           busy = 1;
+ 
+@@ -7226,6 +7250,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (ssize_t)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+@@ -7254,6 +7282,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (ssize_t)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+-- 
+2.43.0
+

SPECS/nghttp2/nghttp2.spec

@@ -1,14 +1,15 @@
 Summary:        nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
 Name:           nghttp2
 Version:        1.57.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://nghttp2.org
 Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
 Patch0:         CVE-2024-28182.patch
+Patch1:         CVE-2026-27135.patch
 BuildRequires:  gcc
 BuildRequires:  make
 %if %{with_check}
@@ -60,6 +61,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Fri Mar 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.57.0-3
+- Patch for CVE-2026-27135
+
 * Tue Oct 08 2024 Muhammad Falak <mwani@microsoft.com> - 1.57.0-2
 - Address CVE-2024-28182
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.aarch64.rpm
 libssh2-1.9.0-4.cm2.aarch64.rpm
 libssh2-devel-1.9.0-4.cm2.aarch64.rpm
 krb5-1.19.4-5.cm2.aarch64.rpm
-nghttp2-1.57.0-2.cm2.aarch64.rpm
+nghttp2-1.57.0-3.cm2.aarch64.rpm
 curl-8.8.0-8.cm2.aarch64.rpm
 curl-devel-8.8.0-8.cm2.aarch64.rpm
 curl-libs-8.8.0-8.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.x86_64.rpm
 libssh2-1.9.0-4.cm2.x86_64.rpm
 libssh2-devel-1.9.0-4.cm2.x86_64.rpm
 krb5-1.19.4-5.cm2.x86_64.rpm
-nghttp2-1.57.0-2.cm2.x86_64.rpm
+nghttp2-1.57.0-3.cm2.x86_64.rpm
 curl-8.8.0-8.cm2.x86_64.rpm
 curl-devel-8.8.0-8.cm2.x86_64.rpm
 curl-libs-8.8.0-8.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -261,9 +261,9 @@ newt-0.52.21-5.cm2.aarch64.rpm
 newt-debuginfo-0.52.21-5.cm2.aarch64.rpm
 newt-devel-0.52.21-5.cm2.aarch64.rpm
 newt-lang-0.52.21-5.cm2.aarch64.rpm
-nghttp2-1.57.0-2.cm2.aarch64.rpm
-nghttp2-debuginfo-1.57.0-2.cm2.aarch64.rpm
-nghttp2-devel-1.57.0-2.cm2.aarch64.rpm
+nghttp2-1.57.0-3.cm2.aarch64.rpm
+nghttp2-debuginfo-1.57.0-3.cm2.aarch64.rpm
+nghttp2-devel-1.57.0-3.cm2.aarch64.rpm
 ninja-build-1.10.2-2.cm2.aarch64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -267,9 +267,9 @@ newt-0.52.21-5.cm2.x86_64.rpm
 newt-debuginfo-0.52.21-5.cm2.x86_64.rpm
 newt-devel-0.52.21-5.cm2.x86_64.rpm
 newt-lang-0.52.21-5.cm2.x86_64.rpm
-nghttp2-1.57.0-2.cm2.x86_64.rpm
-nghttp2-debuginfo-1.57.0-2.cm2.x86_64.rpm
-nghttp2-devel-1.57.0-2.cm2.x86_64.rpm
+nghttp2-1.57.0-3.cm2.x86_64.rpm
+nghttp2-debuginfo-1.57.0-3.cm2.x86_64.rpm
+nghttp2-devel-1.57.0-3.cm2.x86_64.rpm
 ninja-build-1.10.2-2.cm2.x86_64.rpm
 ninja-build-debuginfo-1.10.2-2.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm