Skip to content

Commit 9c9224a

Browse files
Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] - branch 3.0-dev" #16246
Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
1 parent 9aeee56 commit 9c9224a

6 files changed

Lines changed: 122 additions & 11 deletions

File tree

SPECS/nghttp2/CVE-2026-27135.patch

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
From 5fb1bc89bc8ac155c1284e4a4b9fd8746e863d94 Mon Sep 17 00:00:00 2001
2+
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
3+
Date: Wed, 18 Feb 2026 18:04:30 +0900
4+
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
5+
failure
6+
7+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
8+
Upstream-reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch
9+
---
10+
lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
11+
1 file changed, 32 insertions(+)
12+
13+
diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
14+
index 004a4df..1711a39 100644
15+
--- a/lib/nghttp2_session.c
16+
+++ b/lib/nghttp2_session.c
17+
@@ -6079,6 +6079,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
18+
return rv;
19+
}
20+
21+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
22+
+ return (nghttp2_ssize)inlen;
23+
+ }
24+
+
25+
on_begin_frame_called = 1;
26+
27+
rv = session_process_headers_frame(session);
28+
@@ -6445,6 +6449,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
29+
if (nghttp2_is_fatal(rv)) {
30+
return rv;
31+
}
32+
+
33+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
34+
+ return (nghttp2_ssize)inlen;
35+
+ }
36+
}
37+
}
38+
39+
@@ -6701,6 +6709,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
40+
return rv;
41+
}
42+
43+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
44+
+ return (nghttp2_ssize)inlen;
45+
+ }
46+
+
47+
session_inbound_frame_reset(session);
48+
49+
break;
50+
@@ -6761,6 +6773,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
51+
return (nghttp2_ssize)inlen;
52+
}
53+
54+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
55+
+ return (nghttp2_ssize)inlen;
56+
+ }
57+
+
58+
if (rv == NGHTTP2_ERR_PAUSE) {
59+
in += hd_proclen;
60+
iframe->payloadleft -= hd_proclen;
61+
@@ -7004,6 +7020,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
62+
if (nghttp2_is_fatal(rv)) {
63+
return rv;
64+
}
65+
+
66+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
67+
+ return (nghttp2_ssize)inlen;
68+
+ }
69+
} else {
70+
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
71+
}
72+
@@ -7189,6 +7209,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
73+
return rv;
74+
}
75+
76+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
77+
+ return (nghttp2_ssize)inlen;
78+
+ }
79+
+
80+
session_inbound_frame_reset(session);
81+
82+
break;
83+
@@ -7256,6 +7280,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
84+
return rv;
85+
}
86+
87+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
88+
+ return (nghttp2_ssize)inlen;
89+
+ }
90+
+
91+
if (rv != 0) {
92+
busy = 1;
93+
94+
@@ -7274,6 +7302,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
95+
return rv;
96+
}
97+
98+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
99+
+ return (nghttp2_ssize)inlen;
100+
+ }
101+
+
102+
session_inbound_frame_reset(session);
103+
104+
break;
105+
--
106+
2.45.4
107+

SPECS/nghttp2/nghttp2.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
Summary: nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
22
Name: nghttp2
33
Version: 1.61.0
4-
Release: 2%{?dist}
4+
Release: 3%{?dist}
55
License: MIT
66
Vendor: Microsoft Corporation
77
Distribution: Azure Linux
88
Group: Applications/System
99
URL: https://nghttp2.org
1010
Source0: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
11+
Patch0: CVE-2026-27135.patch
1112
BuildRequires: gcc
1213
BuildRequires: make
1314
%if 0%{?with_check}
@@ -59,6 +60,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
5960
%{_libdir}/pkgconfig/*.pc
6061

6162
%changelog
63+
* Thu Mar 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.61.0-3
64+
- Patch for CVE-2026-27135
65+
6266
* Thu Aug 29 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.61.0-2
6367
- Fix test-time dependency on CUnit.
6468

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.aarch64.rpm
197197
libssh2-devel-1.11.1-1.azl3.aarch64.rpm
198198
krb5-1.21.3-3.azl3.aarch64.rpm
199199
krb5-devel-1.21.3-3.azl3.aarch64.rpm
200-
nghttp2-1.61.0-2.azl3.aarch64.rpm
201-
nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
200+
nghttp2-1.61.0-3.azl3.aarch64.rpm
201+
nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
202202
curl-8.11.1-5.azl3.aarch64.rpm
203203
curl-devel-8.11.1-5.azl3.aarch64.rpm
204204
curl-libs-8.11.1-5.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.x86_64.rpm
197197
libssh2-devel-1.11.1-1.azl3.x86_64.rpm
198198
krb5-1.21.3-3.azl3.x86_64.rpm
199199
krb5-devel-1.21.3-3.azl3.x86_64.rpm
200-
nghttp2-1.61.0-2.azl3.x86_64.rpm
201-
nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
200+
nghttp2-1.61.0-3.azl3.x86_64.rpm
201+
nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
202202
curl-8.11.1-5.azl3.x86_64.rpm
203203
curl-devel-8.11.1-5.azl3.x86_64.rpm
204204
curl-libs-8.11.1-5.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -277,9 +277,9 @@ newt-0.52.23-1.azl3.aarch64.rpm
277277
newt-debuginfo-0.52.23-1.azl3.aarch64.rpm
278278
newt-devel-0.52.23-1.azl3.aarch64.rpm
279279
newt-lang-0.52.23-1.azl3.aarch64.rpm
280-
nghttp2-1.61.0-2.azl3.aarch64.rpm
281-
nghttp2-debuginfo-1.61.0-2.azl3.aarch64.rpm
282-
nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
280+
nghttp2-1.61.0-3.azl3.aarch64.rpm
281+
nghttp2-debuginfo-1.61.0-3.azl3.aarch64.rpm
282+
nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
283283
ninja-build-1.11.1-1.azl3.aarch64.rpm
284284
ninja-build-debuginfo-1.11.1-1.azl3.aarch64.rpm
285285
npth-1.6-4.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -285,9 +285,9 @@ newt-0.52.23-1.azl3.x86_64.rpm
285285
newt-debuginfo-0.52.23-1.azl3.x86_64.rpm
286286
newt-devel-0.52.23-1.azl3.x86_64.rpm
287287
newt-lang-0.52.23-1.azl3.x86_64.rpm
288-
nghttp2-1.61.0-2.azl3.x86_64.rpm
289-
nghttp2-debuginfo-1.61.0-2.azl3.x86_64.rpm
290-
nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
288+
nghttp2-1.61.0-3.azl3.x86_64.rpm
289+
nghttp2-debuginfo-1.61.0-3.azl3.x86_64.rpm
290+
nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
291291
ninja-build-1.11.1-1.azl3.x86_64.rpm
292292
ninja-build-debuginfo-1.11.1-1.azl3.x86_64.rpm
293293
npth-1.6-4.azl3.x86_64.rpm

0 commit comments

Comments
 (0)