Critical DoS Vulnerability in nghttp2 Affects Multiple Debian Releases
Severity: High (Score: 72.8)
Sources: Linuxsecurity
Summary
A critical denial-of-service (DoS) vulnerability, CVE-2026-27135, was identified in nghttp2, affecting Debian distributions. The flaw allows attackers to exploit missing iframe state validations, leading to assertion failures. For Debian 11 (bullseye), the issue has been patched in version 1.43.0-1+deb11u3, while Debian 12 (bookworm) and Debian 13 (trixie) have received updates in versions 1.52.0-1+deb12u3 and 1.64.0-1.1+deb13u1, respectively. Users are advised to upgrade their nghttp2 packages to mitigate the risk. The vulnerability was published on March 18, 2026, with a proof of concept (PoC) made public on April 6, 2026. The urgency of the situation is underscored by the critical nature of the flaw and its potential impact on system availability. Key Points: • CVE-2026-27135 is a critical DoS vulnerability in nghttp2 affecting Debian systems. • Patches are available for Debian 11, 12, and 13, with specific versions recommended for each. • The vulnerability was disclosed on March 18, 2026, with a PoC released shortly after.