nghttp2-1.33.0-6.el8_10.2

エラータID: AXSA:2026-443:02

Release date: 
Friday, April 17, 2026 - 16:00
Subject: 
nghttp2-1.33.0-6.el8_10.2
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C.

Security Fix(es):

* nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Solution: 

Update packages.

CVEs: 
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Additional Info: 

N/A

Download: 

SRPMS
  1. nghttp2-1.33.0-6.el8_10.2.src.rpm
    MD5: e1b1e62270276d162981e571cfa73056
    SHA-256: 1ae1395d7c6b6eeffda1203630659cecb78b87c9362c88fc868f7b46ee7201c7
    Size: 1.52 MB

Asianux Server 8 for x86_64
  1. libnghttp2-1.33.0-6.el8_10.2.i686.rpm
    MD5: ba841543540ac381d1d0ef7644b3d33c
    SHA-256: af41c88859686ce1236f8e8537ad9fc8a126cd4ff19f3b8fd1ec7a25ab957753
    Size: 83.68 kB
  2. libnghttp2-1.33.0-6.el8_10.2.x86_64.rpm
    MD5: 3d93e3893e18c9bf222925897cc2ab27
    SHA-256: 94d0c7c9d4c12bd87059d525b4528beef2281935cb7bd5390c1be851e3fe36cd
    Size: 77.37 kB
  3. libnghttp2-devel-1.33.0-6.el8_10.2.i686.rpm
    MD5: 901813bdc36c1446bc86249f126dddc3
    SHA-256: 82dc616ee1bda94488f8f4d04b2a96e0e6d4e8f203fcdcf76297489c9fb31535
    Size: 60.10 kB
  4. libnghttp2-devel-1.33.0-6.el8_10.2.x86_64.rpm
    MD5: 25b0f44175e92568018212919f570b70
    SHA-256: d89cf8e7a4d03048ae3b89316ac4af43467e51808d82cd5e97100611fb1641cd
    Size: 60.08 kB
  5. nghttp2-1.33.0-6.el8_10.2.x86_64.rpm
    MD5: 3b4310b915690d7f7a4044204076b000
    SHA-256: 87b7ab27397aeccc424017c008507502c9c5f1ccbb2095d1d5936083333e25c9
    Size: 597.94 kB