Explore top 10 tips to secure your open-source projects now. Read More
×An update that solves one vulnerability can now be installed.. # Security update for nghttp2 Announcement ID: SUSE-SU-2026:2883-1 Release Date: 2026-07-13T09:54:51Z Rating: moderate References: * bsc#1269489 Cross-References: * CVE-2026-58055 CVSS scores: * CVE-2026-58055 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-58055 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N * CVE-2026-58055 ( NVD ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-58055 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N Affected Products: * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 An update that solves one vulnerability can now be installed. ## Description: This update for nghttp2 fixes the following issue * CVE-2026-58055: HTTP/1.1 Upgrade request can lead to HTTP request smuggling and cross-client response-queue poisoning (bsc#1269489). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2883=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2883=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2883=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2883=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patchSUSE-SLE-Micro-5.5-2026-2883=1 ## Package List: * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * libnghttp2-14-1.40.0-150200.25.1 * nghttp2-debuginfo-1.40.0-150200.25.1 * libnghttp2-14-debuginfo-1.40.0-150200.25.1 * nghttp2-debugsource-1.40.0-150200.25.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * libnghttp2-14-1.40.0-150200.25.1 * nghttp2-debuginfo-1.40.0-150200.25.1 * libnghttp2-14-debuginfo-1.40.0-150200.25.1 * nghttp2-debugsource-1.40.0-150200.25.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * libnghttp2-14-1.40.0-150200.25.1 * nghttp2-debugsource-1.40.0-150200.25.1 * nghttp2-debuginfo-1.40.0-150200.25.1 * libnghttp2-14-debuginfo-1.40.0-150200.25.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * libnghttp2-14-1.40.0-150200.25.1 * nghttp2-debuginfo-1.40.0-150200.25.1 * libnghttp2-14-debuginfo-1.40.0-150200.25.1 * nghttp2-debugsource-1.40.0-150200.25.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * libnghttp2-14-1.40.0-150200.25.1 * nghttp2-debuginfo-1.40.0-150200.25.1 * libnghttp2-14-debuginfo-1.40.0-150200.25.1 * nghttp2-debugsource-1.40.0-150200.25.1 ## References: * https://www.suse.com/security/cve/CVE-2026-58055.html * https://bugzilla.suse.com/show_bug.cgi?id=1269489 . A security update has been released for nghttp2 addressing a moderate issue related to HTTP smuggling risks. Install now.. SUSE updates, nghttp2 security, moderate threats, HTTP smuggling, Linux patches. . Severity: moderate. LinuxSecurity.com Team
An update that solves one vulnerability and has one bug fix can now be installed.. openSUSE security update: security update for nghttp2 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21302-1 Rating: moderate References: * bsc#1269489 Cross-References: * CVE-2026-58055 CVSS scores: * CVE-2026-58055 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N * CVE-2026-58055 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves one vulnerability and has one bug fix can now be installed. Description: This update for nghttp2 fixes the following issue - CVE-2026-58055: HTTP request/response smuggling via upgrade request with `Content-Length` (bsc#1269489). Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-1213=1 Package List: - openSUSE Leap 16.0: libnghttp2-14-1.64.0-160000.4.1 libnghttp2-devel-1.64.0-160000.4.1 nghttp2-1.64.0-160000.4.1 References: * https://www.suse.com/security/cve/CVE-2026-58055.html . This openSUSE security update addresses a moderate issue in nghttp2 to enhance system protection and stability.. openSUSE update, nghttp2 patch, security alert. . Severity: moderate. LinuxSecurity.com Team
nghttp2 could allow unintended access to network services.. ========================================================================== Ubuntu Security Notice USN-8495-1 July 02, 2026 nghttp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: nghttp2 could allow unintended access to network services. Software Description: - nghttp2: HTTP/2 C Library and tools Details: It was discovered that the nghttp2 nghttpx proxy incorrectly handled HTTP/1.1 Upgrade requests that included a Content-Length header and body. A remote attacker could possibly use this issue to perform HTTP request and response smuggling attacks against backend services. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS nghttp2 1.68.0-2ubuntu0.2 Ubuntu 25.10 nghttp2 1.64.0-1.1ubuntu1.2 Ubuntu 24.04 LTS nghttp2 1.59.0-1ubuntu0.4 Ubuntu 22.04 LTS nghttp2 1.43.0-1ubuntu0.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8495-1 CVE-2026-58055 Package Information: https://launchpad.net/ubuntu/+source/nghttp2/1.68.0-2ubuntu0.2 https://launchpad.net/ubuntu/+source/nghttp2/1.64.0-1.1ubuntu1.2 https://launchpad.net/ubuntu/+source/nghttp2/1.59.0-1ubuntu0.4 https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.4 . Unintended access through nghttp2 could expose network services. Update now to secure your Ubuntu system against risks.. nghttp2 security issue, Ubuntu network service access, HTTP/2 library vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Security update. Publication date: 12 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0199.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-27135 Description: Denial of service: Assertion failure due to missing state validation. (CVE-2026-27135) References: - https://bugs.mageia.org/show_bug.cgi?id=35252 - https://www.openwall.com/lists/oss-security/2026/03/20/3 - https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 - https://lists.debian.org/debian-security-announce/2026/msg00177.html - https://www.cve.org/CVERecord?id=CVE-2026-27135 SRPMS: - 9/core/nghttp2-1.61.0-1.1.mga9 . Security update for Mageia with critical nghttp2 denial of service issue due to assertion failure. Urgent patch available.. Mageia, nghttp2 security, denial of service, nghttp2 update, Mageia vulnerability. . Severity: Critical. LinuxSecurity.com Team
It was discovered that nghttp2, an implementation of the HTTP/2 protocol, could be crashed via an assertion failure. A remote attacker could exploit this to cause a DoS attack by sending a malformed frame immediately after triggering the termination path. For the oldstable distribution (bookworm), this problem has been fixed. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6266-1
A vulnerabilitie was discovered in nghttp2, a server, proxy and client implementing HTTP/2. CVE-2026-27135 Fix missing iframe-> state validations to avoid assertion failure. As backported from upstream v1.68.1 (commit 5c7df8f), incl. upstream test case. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4581-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Lukas Märdian May 13, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : nghttp2 Version : 1.43.0-1+deb11u3 CVE ID : CVE-2026-27135 Debian Bug : 1131369 A vulnerabilitie was discovered in nghttp2, a server, proxy and client implementing HTTP/2. CVE-2026-27135 Fix missing iframe-> state validations to avoid assertion failure. As backported from upstream v1.68.1 (commit 5c7df8f), incl. upstream test case from commit c619c7be0737ac78051b1cacf4b1ce5467eb838d. For Debian 11 bullseye, this problem has been fixed in version 1.43.0-1+deb11u3. We recommend that you upgrade your nghttp2 packages. For the detailed security status of nghttp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nghttp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . A critical security issue discovered in nghttp2 can lead to assertion failures; update recommended for Debian systems.. nghttp2 security update, Debian LTS advisory, HTTP/2 vulnerabilities. . Severity: Important. LinuxSecurity.com Team
nghttp2 could be made to crash if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-8233-2 May 06, 2026 nghttp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS Summary: nghttp2 could be made to crash if it received specially crafted network traffic. Software Description: - nghttp2: HTTP/2 C Library and tools Details: USN-8233-1 fixed a vulnerability in nghttp2. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could possibly use this issue to cause nghttp2 to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libnghttp2-14 1.68.0-2ubuntu0.1 nghttp2 1.68.0-2ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8233-2 https://ubuntu.com/security/notices/USN-8233-1 CVE-2026-27135 Package Information: https://launchpad.net/ubuntu/+source/nghttp2/1.68.0-2ubuntu0.1 . nghttp2 in Ubuntu 26.04 LTS can crash from malicious traffic; critical update required to prevent DoS.. nghttp2 security, Ubuntu 26.04 advisory, critical bug fix, denial of service, package update. . Severity: Critical. LinuxSecurity.com Team
nghttp2 could be made to crash if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-8233-1 May 05, 2026 nghttp2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: nghttp2 could be made to crash if it received specially crafted network traffic. Software Description: - nghttp2: HTTP/2 C Library and tools Details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could possibly use this issue to cause nghttp2 to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 libnghttp2-14 1.64.0-1.1ubuntu1.1 nghttp2 1.64.0-1.1ubuntu1.1 Ubuntu 24.04 LTS libnghttp2-14 1.59.0-1ubuntu0.3 nghttp2 1.59.0-1ubuntu0.3 Ubuntu 22.04 LTS libnghttp2-14 1.43.0-1ubuntu0.3 nghttp2 1.43.0-1ubuntu0.3 Ubuntu 20.04 LTS libnghttp2-14 1.40.0-1ubuntu0.3+esm1 Available with Ubuntu Pro nghttp2 1.40.0-1ubuntu0.3+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS libnghttp2-14 1.30.0-1ubuntu1+esm3 Available with Ubuntu Pro nghttp2 1.30.0-1ubuntu1+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS libnghttp2-14 1.7.1-1ubuntu0.1~esm3 Available with Ubuntu Pro nghttp2 1.7.1-1ubuntu0.1~esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8233-1 CVE-2026-27135 Package Information: https://launchpad.net/ubuntu/+source/nghttp2/1.64.0-1.1ubuntu1.1 https://launchpad.net/ubuntu/+source/nghttp2/1.59.0-1ubuntu0.3 https://launchpad.net/ubuntu/+source/nghttp2/1.43.0-1ubuntu0.3 . Critical nghttp2 flaw allows denial of service with crafted traffic. Update Ubuntu systems to mitigate risks.. nghttp2, denial of service, Ubuntu security advisory, critical update. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.