| Package | nghttp2 |
|---|---|
| Version | 1.18.1-1+deb9u5 (stretch), 1.36.0-2+deb10u4 (buster) |
| Related CVEs | CVE-2026-27135 |
It was discovered that nghttp2, an implementation of the HTTP/2 protocol, could be crashed via an assertion failure. A remote attacker could exploit this to cause a DoS attack by sending a malformed frame immediately after triggering the termination path.
For Debian 10 buster, these problems have been fixed in version 1.36.0-2+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 1.18.1-1+deb9u5.
We recommend that you upgrade your nghttp2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.