From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Thomas Perale <thomas.perale@mind.be>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/nghttp2: patch CVE-2026-27135
Date: Fri, 3 Apr 2026 11:16:27 +0200 [thread overview]
Message-ID: <20260403091627.57341-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260403084221.35659-1-thomas.perale@mind.be>
Only for 2025.02.x & 2026.02.x. Removed on patchwork and resent.
In reply of:
> Fixes the following vulnerability:
>
> - CVE-2026-27135:
> nghttp2 is an implementation of the Hypertext Transfer Protocol
> version 2 in C. Prior to version 1.68.1, the nghttp2 library stops
> reading the incoming data when user facing public API
> `nghttp2_session_terminate_session` or
> `nghttp2_session_terminate_session2` is called by the application.
> They might be called internally by the library when it detects the
> situation that is subject to connection error. Due to the missing
> internal state validation, the library keeps reading the rest of the
> data after one of those APIs is called. Then receiving a malformed
> frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2
> v1.68.1 adds missing state validation to avoid assertion failure. No
> known workarounds are available.
>
> For more information, see:
> - https://www.cve.org/CVERecord?id=CVE-2026-27135
> - https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
>
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
> ...lidations-to-avoid-assertion-failure.patch | 105 ++++++++++++++++++
> package/nghttp2/nghttp2.mk | 3 +
> 2 files changed, 108 insertions(+)
> create mode 100644 package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch
>
> diff --git a/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch b/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch
> new file mode 100644
> index 0000000000..ef8b9a5a5d
> --- /dev/null
> +++ b/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch
> @@ -0,0 +1,105 @@
> +From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
> +From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
> +Date: Wed, 18 Feb 2026 18:04:30 +0900
> +Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
> + failure
> +
> +CVE: CVE-2026-27135
> +Upstream: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
> + 1 file changed, 32 insertions(+)
> +
> +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
> +index bcea547343..0fbcc930b9 100644
> +--- a/lib/nghttp2_session.c
> ++++ b/lib/nghttp2_session.c
> +@@ -5573,6 +5573,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + return rv;
> + }
> +
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + on_begin_frame_called = 1;
> +
> + rv = session_process_headers_frame(session);
> +@@ -6041,6 +6045,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + if (nghttp2_is_fatal(rv)) {
> + return rv;
> + }
> ++
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> + }
> + }
> +
> +@@ -6293,6 +6301,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + return rv;
> + }
> +
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + session_inbound_frame_reset(session);
> +
> + break;
> +@@ -6599,6 +6611,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + if (nghttp2_is_fatal(rv)) {
> + return rv;
> + }
> ++
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> + } else {
> + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
> + }
> +@@ -6775,6 +6791,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + rv = session->callbacks.on_data_chunk_recv_callback(
> + session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,
> + in - readlen, (size_t)data_readlen, session->user_data);
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + if (rv == NGHTTP2_ERR_PAUSE) {
> + return (nghttp2_ssize)(in - first);
> + }
> +@@ -6861,6 +6881,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + return rv;
> + }
> +
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + if (rv != 0) {
> + busy = 1;
> +
> +@@ -6879,6 +6903,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + return rv;
> + }
> +
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + session_inbound_frame_reset(session);
> +
> + break;
> +@@ -6907,6 +6935,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
> + return rv;
> + }
> +
> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
> ++ return (nghttp2_ssize)inlen;
> ++ }
> ++
> + session_inbound_frame_reset(session);
> +
> + break;
> diff --git a/package/nghttp2/nghttp2.mk b/package/nghttp2/nghttp2.mk
> index 98f837e28e..9e051d24ed 100644
> --- a/package/nghttp2/nghttp2.mk
> +++ b/package/nghttp2/nghttp2.mk
> @@ -14,6 +14,9 @@ NGHTTP2_CPE_ID_VENDOR = nghttp2
> NGHTTP2_DEPENDENCIES = host-pkgconf
> NGHTTP2_CONF_OPTS = --enable-lib-only
>
> +# 0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch
> +NGHTTP2_IGNORE_CVES += CVE-2026-27135
> +
> define NGHTTP2_INSTALL_CLEAN_HOOK
> # Remove fetch-ocsp-response script unused by library
> $(Q)$(RM) -rf $(TARGET_DIR)/usr/share/nghttp2
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-03 9:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 8:42 [Buildroot] [PATCH 1/1] package/nghttp2: patch CVE-2026-27135 Thomas Perale via buildroot
2026-04-03 9:16 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403091627.57341-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox