Critical DoS Vulnerability in nghttp2 Affects Multiple Debian Releases

Critical DoS Vulnerability in nghttp2 Affects Multiple Debian Releases

First seen 14 May 2026, 13:48 UTC Linuxsecurity 72% similarity 72.8

Article Content

Browse articles
ThreatCluster

A critical denial-of-service (DoS) vulnerability, CVE-2026-27135, was identified in nghttp2, affecting Debian distributions. The flaw allows attackers to exploit missing iframe state validations, leading to assertion failures. For Debian 11 (bullseye), the issue has been patched in version 1.43.0-1+deb11u3, while Debian 12 (bookworm) and Debian 13 (trixie) have received updates in versions 1.52.0-1+deb12u3 and 1.64.0-1.1+deb13u1, respectively. Users are advised to upgrade their nghttp2 packages to mitigate the risk. The vulnerability was published on March 18, 2026, with a proof of concept (PoC) made public on April 6, 2026. The urgency of the situation is underscored by the critical nature of the flaw and its potential impact on system availability.

Key Points: • CVE-2026-27135 is a critical DoS vulnerability in nghttp2 affecting Debian systems. • Patches are available for Debian 11, 12, and 13, with specific versions recommended for each. • The vulnerability was disclosed on March 18, 2026, with a PoC released shortly after.

ThreatCluster AI

Timeline

2026-03-18
CVE-2026-27135 published
A critical DoS vulnerability in nghttp2 was disclosed, affecting multiple Debian versions.
Linuxsecurity
2026-04-06
First public PoC released
A proof of concept for CVE-2026-27135 was made public, increasing the risk of exploitation.
Linuxsecurity
2026-05-13
Patch released for Debian 11
Debian 11 (bullseye) received a patch in version 1.43.0-1+deb11u3 to fix the vulnerability.
Linuxsecurity
2026-05-14
Patches released for Debian 12 and 13
Debian 12 (bookworm) and 13 (trixie) received patches in versions 1.52.0-1+deb12u3 and 1.64.0-1.1+deb13u1, respectively.
Linuxsecurity

Community

Browse all →