nghttp2 Denial-of-Service Vulnerability Due to Missing State Validation

Vulnerability

A denial-of-service vulnerability has been identified in the nghttp2 library, which implements HTTP/2 in C. This issue affects versions of nghttp2 through 1.68.0. The vulnerability arises because the library fails to properly validate internal states when the public APIs 'nghttp2_session_terminate_session' or 'nghttp2_session_terminate_session2' are called. As a result, after these APIs are invoked, the library continues to read incoming data. If a malformed frame is then received, it can trigger an assertion failure. This vulnerability can be exploited when the library processes certain types of frames, such as ALTSVC or PRIORITY_UPDATE, especially if these frame types are enabled through nghttp2 options.

Impact

Exploitation of this vulnerability leads to an assertion failure, causing a denial-of-service condition. In builds where assertions are disabled, the vulnerability may allow the library to continue processing incoming data after the termination session call, potentially leading to other issues.

Reproduction

The vulnerability can be reproduced by calling 'nghttp2_session_terminate_session' or 'nghttp2_session_terminate_session2' while processing ALTSVC frames. After the termination call, a malformed frame that violates the FRAME_SIZE rules should be sent. This sequence will trigger the assertion failure, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to nghttp2 version 1.68.1, which includes the necessary state validations to prevent the assertion failure. For those using a build that disables assertions, it is still recommended to apply the patch, as the vulnerability could lead to unintended data processing.

Added: Mar 18, 2026, 7:36 PM
Updated: Mar 18, 2026, 7:36 PM

Vulnerability Rating

Custom Algorithm
spread
7.3
impact
2.5
exploitability
9.1
remediation
7.7
relevance
2.7
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.