Skip to content

[AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] #16247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
azurelinux-security wants to merge 2 commits into
base: fasttrack/2.0
Choose a base branch
from
+130 −9
Open

[AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] #16247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a41eecf
Patch nghttp2 for CVE-2026-27135
azurelinux-security Mar 20, 2026
ae46ee6
modified patch to use ssize_t instead of nghttp2_ssize
akhila-guruju Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 117 additions & 0 deletions SPECS/nghttp2/CVE-2026-27135.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 18 Feb 2026 18:04:30 +0900
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
failure

Upstream Patch reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch
---
lib/nghttp2_session.c | 40 ++++++++++++++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
index ced7517..ac9301b 100644
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@@ -6031,6 +6031,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}

+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
on_begin_frame_called = 1;

rv = session_process_headers_frame(session);
@@ -6397,6 +6401,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
}
}

@@ -6653,6 +6661,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}

+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
session_inbound_frame_reset(session);

break;
@@ -6956,6 +6968,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
if (nghttp2_is_fatal(rv)) {
return rv;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
} else {
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
}
@@ -7121,13 +7137,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
rv = session->callbacks.on_data_chunk_recv_callback(
session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
in - readlen, (size_t)data_readlen, session->user_data);
- if (rv == NGHTTP2_ERR_PAUSE) {
- return (ssize_t)(in - first);
- }
-
if (nghttp2_is_fatal(rv)) {
return NGHTTP2_ERR_CALLBACK_FAILURE;
}
+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
+ if (rv == NGHTTP2_ERR_PAUSE) {
+ return (ssize_t)(in - first);
+ }
}
}
}
@@ -7208,6 +7228,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}

+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
if (rv != 0) {
busy = 1;

@@ -7226,6 +7250,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}

+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
session_inbound_frame_reset(session);

break;
@@ -7254,6 +7282,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
return rv;
}

+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+ return (ssize_t)inlen;
+ }
+
session_inbound_frame_reset(session);

break;
--
2.43.0

6 changes: 5 additions & 1 deletion SPECS/nghttp2/nghttp2.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
Name: nghttp2
Version: 1.57.0
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://nghttp2.org
Source0: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0: CVE-2024-28182.patch
Patch1: CVE-2026-27135.patch
BuildRequires: gcc
BuildRequires: make
%if %{with_check}
Expand Down Expand Up @@ -60,6 +61,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_libdir}/pkgconfig/*.pc

%changelog
* Fri Mar 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.57.0-3
- Patch for CVE-2026-27135

* Tue Oct 08 2024 Muhammad Falak <mwani@microsoft.com> - 1.57.0-2
- Address CVE-2024-28182

Expand Down
2 changes: 1 addition & 1 deletion toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.aarch64.rpm
libssh2-1.9.0-4.cm2.aarch64.rpm
libssh2-devel-1.9.0-4.cm2.aarch64.rpm
krb5-1.19.4-5.cm2.aarch64.rpm
nghttp2-1.57.0-2.cm2.aarch64.rpm
nghttp2-1.57.0-3.cm2.aarch64.rpm
curl-8.8.0-8.cm2.aarch64.rpm
curl-devel-8.8.0-8.cm2.aarch64.rpm
curl-libs-8.8.0-8.cm2.aarch64.rpm
Expand Down
2 changes: 1 addition & 1 deletion toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ libsolv-devel-0.7.24-1.cm2.x86_64.rpm
libssh2-1.9.0-4.cm2.x86_64.rpm
libssh2-devel-1.9.0-4.cm2.x86_64.rpm
krb5-1.19.4-5.cm2.x86_64.rpm
nghttp2-1.57.0-2.cm2.x86_64.rpm
nghttp2-1.57.0-3.cm2.x86_64.rpm
curl-8.8.0-8.cm2.x86_64.rpm
curl-devel-8.8.0-8.cm2.x86_64.rpm
curl-libs-8.8.0-8.cm2.x86_64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,9 +261,9 @@ newt-0.52.21-5.cm2.aarch64.rpm
newt-debuginfo-0.52.21-5.cm2.aarch64.rpm
newt-devel-0.52.21-5.cm2.aarch64.rpm
newt-lang-0.52.21-5.cm2.aarch64.rpm
nghttp2-1.57.0-2.cm2.aarch64.rpm
nghttp2-debuginfo-1.57.0-2.cm2.aarch64.rpm
nghttp2-devel-1.57.0-2.cm2.aarch64.rpm
nghttp2-1.57.0-3.cm2.aarch64.rpm
nghttp2-debuginfo-1.57.0-3.cm2.aarch64.rpm
nghttp2-devel-1.57.0-3.cm2.aarch64.rpm
ninja-build-1.10.2-2.cm2.aarch64.rpm
ninja-build-debuginfo-1.10.2-2.cm2.aarch64.rpm
npth-1.6-4.cm2.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,9 +267,9 @@ newt-0.52.21-5.cm2.x86_64.rpm
newt-debuginfo-0.52.21-5.cm2.x86_64.rpm
newt-devel-0.52.21-5.cm2.x86_64.rpm
newt-lang-0.52.21-5.cm2.x86_64.rpm
nghttp2-1.57.0-2.cm2.x86_64.rpm
nghttp2-debuginfo-1.57.0-2.cm2.x86_64.rpm
nghttp2-devel-1.57.0-2.cm2.x86_64.rpm
nghttp2-1.57.0-3.cm2.x86_64.rpm
nghttp2-debuginfo-1.57.0-3.cm2.x86_64.rpm
nghttp2-devel-1.57.0-3.cm2.x86_64.rpm
ninja-build-1.10.2-2.cm2.x86_64.rpm
ninja-build-debuginfo-1.10.2-2.cm2.x86_64.rpm
npth-1.6-4.cm2.x86_64.rpm
Expand Down
Loading