nghttp2-1.43.0-6.el9_7.1

エラータID: AXSA:2026-438:01

Release date: 
Thursday, April 16, 2026 - 22:10
Subject: 
nghttp2-1.43.0-6.el9_7.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.

Security Fix(es):

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Solution: 

Update packages.

CVEs: 
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Additional Info: 

N/A

Download: 

SRPMS
  1. nghttp2-1.43.0-6.el9_7.1.src.rpm
    MD5: 34d1f5a88c40057aeb582998b7480531
    SHA-256: 52180f16944742ecabcc37db8879e5c0c33682366ee9c69197b61c6a1dfbe2ab
    Size: 3.81 MB

Asianux Server 9 for x86_64
  1. libnghttp2-1.43.0-6.el9_7.1.i686.rpm
    MD5: 9628bd31f8b8ed2ec9a84f01d3c18706
    SHA-256: 9953ca8858783759bd348983da85e9d8d8ddb46fd341d6093a463039b80b5afd
    Size: 78.13 kB
  2. libnghttp2-1.43.0-6.el9_7.1.x86_64.rpm
    MD5: bd2cd1a3bfc434eda8c58156ccbd1e80
    SHA-256: a66e52101df5269ce21781a6a0fb2f15473a0d8297d08d6e84557f514690e3c6
    Size: 72.18 kB
  3. libnghttp2-devel-1.43.0-6.el9_7.1.i686.rpm
    MD5: 4471455700506c4bc621954512ee7928
    SHA-256: 853982a82aa30defb193b3dfceb2c48e5b9a08e99942918c68760ad077ee8000
    Size: 51.93 kB
  4. libnghttp2-devel-1.43.0-6.el9_7.1.x86_64.rpm
    MD5: 0abe07c757f158d5b4a1a8b445d7f6e9
    SHA-256: 69e1e26bfe9ae28a988f6373f34b3524ab56d563d29057ee6e7f500d458241f5
    Size: 51.90 kB
  5. nghttp2-1.43.0-6.el9_7.1.x86_64.rpm
    MD5: 282831b59004c208202b7c45d3ec2a84
    SHA-256: 9cc5a29856ec0b4bb256a444480f09b4b9360944d62212a9e045f4da3abee252
    Size: 570.58 kB