Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch cmake for CVE-2026-27135 [HIGH] - branch 3.0-dev" #16264

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>

Author: 3 people

SPECS/cmake/CVE-2026-27135.patch

@@ -0,0 +1,117 @@
+From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Wed, 18 Feb 2026 18:04:30 +0900
+Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
+ failure
+
+Upstream Patch reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch
+---
+ Utilities/cmnghttp2/lib/nghttp2_session.c | 40 ++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/Utilities/cmnghttp2/lib/nghttp2_session.c b/Utilities/cmnghttp2/lib/nghttp2_session.c
+index ee839769..c150dff6 100644
+--- a/Utilities/cmnghttp2/lib/nghttp2_session.c
++++ b/Utilities/cmnghttp2/lib/nghttp2_session.c
+@@ -6120,6 +6120,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         on_begin_frame_called = 1;
+ 
+         rv = session_process_headers_frame(session);
+@@ -6486,6 +6490,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           if (nghttp2_is_fatal(rv)) {
+             return rv;
+           }
++
++          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++            return (ssize_t)inlen;
++          }
+         }
+       }
+ 
+@@ -6742,6 +6750,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         session_inbound_frame_reset(session);
+ 
+         break;
+@@ -7045,6 +7057,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         if (nghttp2_is_fatal(rv)) {
+           return rv;
+         }
++
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
+       } else {
+         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
+       }
+@@ -7210,13 +7226,17 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+             rv = session->callbacks.on_data_chunk_recv_callback(
+                 session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
+                 in - readlen, (size_t)data_readlen, session->user_data);
+-            if (rv == NGHTTP2_ERR_PAUSE) {
+-              return in - first;
+-            }
+-
+             if (nghttp2_is_fatal(rv)) {
+               return NGHTTP2_ERR_CALLBACK_FAILURE;
+             }
++
++            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++              return (ssize_t)inlen;
++            }
++
++            if (rv == NGHTTP2_ERR_PAUSE) {
++              return in - first;
++            }
+           }
+         }
+       }
+@@ -7297,6 +7317,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (ssize_t)inlen;
++        }
++
+         if (rv != 0) {
+           busy = 1;
+ 
+@@ -7315,6 +7339,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (ssize_t)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+@@ -7343,6 +7371,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (ssize_t)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+-- 
+2.43.0
+

SPECS/cmake/cmake.spec

@@ -2,7 +2,7 @@
 Summary:        Cmake
 Name:           cmake
 Version:        3.30.3
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        BSD AND LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,7 @@ Patch15:	CVE-2025-10148.patch
 Patch16:	CVE-2025-14017.patch
 Patch17:	CVE-2025-10966.patch
 Patch18:	CVE-2025-14524.patch
+Patch19:	CVE-2026-27135.patch
 
 BuildRequires:  bzip2
 BuildRequires:  bzip2-devel
@@ -115,6 +116,9 @@ bin/ctest --force-new-ctest-process --rerun-failed --output-on-failure
 %{_libdir}/rpm/macros.d/macros.cmake
 
 %changelog
+* Fri Mar 20 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-13
+- Patch for CVE-2026-27135
+
 * Wed Jan 21 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.30.3-12
 - Patch for CVE-2025-10966 & CVE-2025-14524
 

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -51,8 +51,8 @@ check-debuginfo-0.15.2-1.azl3.aarch64.rpm
 chkconfig-1.25-1.azl3.aarch64.rpm
 chkconfig-debuginfo-1.25-1.azl3.aarch64.rpm
 chkconfig-lang-1.25-1.azl3.aarch64.rpm
-cmake-3.30.3-12.azl3.aarch64.rpm
-cmake-debuginfo-3.30.3-12.azl3.aarch64.rpm
+cmake-3.30.3-13.azl3.aarch64.rpm
+cmake-debuginfo-3.30.3-13.azl3.aarch64.rpm
 coreutils-9.4-6.azl3.aarch64.rpm
 coreutils-debuginfo-9.4-6.azl3.aarch64.rpm
 coreutils-lang-9.4-6.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -54,8 +54,8 @@ check-debuginfo-0.15.2-1.azl3.x86_64.rpm
 chkconfig-1.25-1.azl3.x86_64.rpm
 chkconfig-debuginfo-1.25-1.azl3.x86_64.rpm
 chkconfig-lang-1.25-1.azl3.x86_64.rpm
-cmake-3.30.3-12.azl3.x86_64.rpm
-cmake-debuginfo-3.30.3-12.azl3.x86_64.rpm
+cmake-3.30.3-13.azl3.x86_64.rpm
+cmake-debuginfo-3.30.3-13.azl3.x86_64.rpm
 coreutils-9.4-6.azl3.x86_64.rpm
 coreutils-debuginfo-9.4-6.azl3.x86_64.rpm
 coreutils-lang-9.4-6.azl3.x86_64.rpm